我们编写此页面的目的是概述 npm 面临的最常见攻击、我们如何缓解这些攻击的高级描述以及更多信息的链接。
🌐 We put together this page to give an overview of the most common attacks npm faces, a high-level description of how we mitigate those attacks, and links to more information.
🌐 Account Takeovers
🌐 By compromising passwords
这是最常见的攻击,不仅仅是针对 npm,而是针对任何网络服务。保护账户的最佳方式是使用 启用双因素认证(双因素认证)。最强的选择是使用安全密钥,无论是内置于设备的还是外部硬件密钥;它将认证绑定到你访问的网站,使钓鱼攻击极为困难。不过,并不是每个人都能使用安全密钥,因此我们也支持生成一次性验证码的认证应用来进行双因素认证。
🌐 This is the most common attack, not just on npm but on any web service. The best way to protect your account is to enable two-factor authentication (2FA). The strongest option is to use a security-key, either built-in to your device or an external hardware key; it binds the authentication to the site you are accessing, making phishing exceedingly difficult. Not everyone has access to a security-key though, so we also support authentication apps that generate one-time passcodes for 2FA.
由于这种攻击非常常见,并且 npm 包对更广泛的软件生态系统至关重要,我们已经采取了分阶段的方式,要求 npm 包维护者启用二步验证(2FA)。这一措施已在前100名包维护者和前500名包维护者中推出,并且在不久的将来,所有高影响力包(每周下载量超过 100 万次或有超过 500 个依赖)的维护者都将被要求强制启用 2FA。
🌐 Because of how common this attack is, and how critical npm packages are to the broader software ecosystem, we have undertaken a phased approach in mandating 2FA for npm package maintainers. This has already rolled out to the top-100 package maintainers and top-500 package maintainers, and in the near future, maintainers of all high-impact packages (those with 1 million+ weekly downloads or 500+ dependents) will be enrolled in mandatory 2FA.
我们也意识到密码在短期内不会消失。对于未选择启用双因素认证(2FA)的用户,我们会使用 发送到他们邮箱的一次性密码 进行增强的登录验证,以防止账户被接管。
🌐 We also recognize that passwords aren’t going away any time soon. For users that don’t opt-in to 2FA, we do an enhanced login verification with a one-time password sent to their email to protect from account takeover.
🌐 By registering an expired email domain
另一种接管账户的方法是通过识别使用过期域名作为电子邮件地址的账户。攻击者可以注册该过期域名,并重新创建用于注册账户的电子邮件地址。通过访问账户注册的电子邮件地址,攻击者可以通过密码重置接管未启用双重身份验证(2FA)的账户。
🌐 Another method used to take over an account is by identifying accounts using an expired domain for their email address. An attacker could register the expired domain and recreate the email address used to register the account. With access to an account's registered email address an attacker could take over an account not protected by 2FA via a password reset.
当一个软件包被发布时,与该账户相关联的电子邮件地址在软件包发布时会包含在公共元数据中。攻击者可以利用这些公共数据来识别可能容易受到账户接管的账户。需要注意的是,当维护者更新他们的电子邮件地址时,软件包公共元数据中存储的电子邮件地址不会更新。因此,通过爬取公共元数据来识别可能容易受到过期域名接管的账户可能会导致假阳性,即看起来易受攻击但实际上并非如此的账户。
🌐 When a package is published the email address associated with the account, at the time the package was published, is included in the public metadata. Attackers are able to utilize this public data to identify accounts that might be susceptible to account takeover. It is important to note that the email addresses stored in public metadata of packages are not updated when a maintainer updates their email address. As such crawling public metadata to identify accounts susceptible to expired domain takeover will result in false positives, accounts that appear to be vulnerable but are not.
npm 会定期检查账户的电子邮件地址是否存在过期域名或无效的 MX 记录。当域名已过期时,我们会禁止该账户进行密码重置,并要求用户在重置密码之前进行账户恢复或完成成功的认证流程。
🌐 npm does periodically check if accounts email addresses have expired domains or invalid MX records. When the domain has expired, we disable the account from doing a password reset and require the user to undergo account recovery or go through a successful authentication flow before they can reset their password.
🌐 Uploading Malicious Packages
🌐 By "typosquatting" / dependency confusion
攻击者可能会尝试通过注册一个名称与热门包类似的恶意包来欺骗他人安装,以期人们会打错字或以其他方式混淆这两个包。npm 能够检测到拼写劫持攻击并阻止这些包的发布。
🌐 Attackers may attempt to trick others into installing a malicious package by registering a package with a similar name to a popular package, in hopes that people will mistype or otherwise confuse the two. npm is able to detect typosquat attacks and block the publishing of these packages.
这种攻击的一种变体是,当一个公开包注册了与组织正在使用的私有包相同的名称时。我们强烈建议使用作用域包来确保私有包不会被公共注册表中的包取代。虽然 npm 无法检测依赖混淆攻击,但我们对注册表中的恶意包采取零容忍政策。如果你认为自己已发现了一个依赖混淆包,请 请让我们知道!
🌐 A variant of this attack is when a public package is registered with the same name of a private package that an organization is using. We strongly encourage using scoped packages to ensure that a private package isn’t being substituted with one from the public registry. While npm is not able to detect dependency confusion attacks we have a zero tolerance for malicious packages on the registry. If you believe you have identified a dependency confusion package, please let us know!
🌐 By changing an existing package to have malicious behavior
攻击者不仅会通过具有相似名称的包来欺骗用户,还会试图在现有的热门包中添加恶意行为。npm 与微软合作,既会扫描包中已知的恶意内容,也会运行这些包以寻找可能的新的恶意行为模式。这导致 npm 包中的恶意内容大幅减少。此外,我们的信任与安全团队会检查并移除用户举报的恶意内容。类似于依赖混淆攻击,我们不断用新案例更新检测服务,因此如果你认为某个包包含恶意行为,请 请让我们知道!”
🌐 Rather than tricking people into using a similarly-named package, attackers also try to add malicious behavior to existing popular packages. In partnership with Microsoft, npm both scans packages for known malicious content, and runs the packages to look for new patterns of behavior that could be malicious. This has led to a substantial reduction in malicious content in npm packages. Furthermore, our Trust and Safety team checks and removes malicious content reported by our users. Similar to dependency confusion attacks, we are constantly updating our detection services with new examples, so if you think a package contains malicious behavior, please let us know!