Protecting Your Host from Malicious Dependencies

This isn't limited to NodeJS, but it seems to happen a lot more frequently in that ecosystem. A commonly used dependency gets compromised, developers install it when doing an npm install, or updating packages, and they now have a trojan running on their host. A trojan that gives the attacker access to run arbitrary code, e.g keyloggers to steal passwords as they are entered, theft of bitcoin wallets and ssh keys etc.

The latest widely publicised version of this is in the Axios node library, which prompted me to write this blog post.

You need to protect the contents of your homedir in case you accidentally install one of these malicious packages. You can create different users for different projects, or use virtual machines, etc. What I've been doing for the past 7 years is just containerising my NodeJS projects during development. And it's no inconvenience at all. I wrote a simple python script, that I just named "npm" and dropped in my PATH. It's called Safernode and you can find it here.

A basic explanation of it is that when you run:

npm install foo
npm start

Something like this happens instead:

podman run -it --rm -w "$PWD" -v "$PWD:$PWD" node npm install foo
podman run -it --rm -w "$PWD" -v "$PWD:$PWD" node npm start

Safernode does some other fancy stuff on top of that, but that's the basic theory. Run npm commands inside a container where it only has access to your current working directory. I.e, no access to ~/.ssh/, and anything it tries to install to the system is lost as soon as the command exits and the container is deleted.

You might not notice that the code is malicious, you might commit the change and deploy it somewhere. This doesn't stop you from doing that. It just stops your development host being compromised. Which I think is still a very valuable win for very little effort/inconvenience.