npm:威胁和缓解措施

我们编写此页面的目的是概述 npm 面临的最常见攻击、我们如何缓解这些攻击的高级描述以及更多信息的链接。

¥We put together this page to give an overview of the most common attacks npm faces, a high-level description of how we mitigate those attacks, and links to more information.

账户接管

¥Account Takeovers

通过泄露密码

¥By compromising passwords

这是最常见的攻击，不仅针对 npm，也针对任何 Web 服务。保护你账户的最佳方法是使用 启用双重身份验证（双重身份验证）。最强的选择是使用安全密钥，可以是设备内置的密钥，也可以是外部硬件密钥；它将身份验证与你正在访问的网站绑定，使网络钓鱼变得极其困难。然而，并非所有人都拥有安全密钥，因此我们也支持生成用于双重身份验证 (2FA) 的一次性密码的身份验证应用。

¥This is the most common attack, not just on npm but on any web service. The best way to protect your account is to enable two-factor authentication (2FA). The strongest option is to use a security-key, either built-in to your device or an external hardware key; it binds the authentication to the site you are accessing, making phishing exceedingly difficult. Not everyone has access to a security-key though, so we also support authentication apps that generate one-time passcodes for 2FA.

鉴于此类攻击的普遍性，以及 npm 软件包对更广泛的软件生态系统的重要性，我们已采取分阶段的方式，强制 npm 软件包维护者使用双重身份验证 (2FA)。这项措施已推广至 前 100 名包维护者 和 前 500 名包维护者，在不久的将来，所有高影响力软件包（每周下载量超过 100 万次或依赖 500 多个软件包）的维护人员都将强制加入双重身份验证 (2FA)。

¥Because of how common this attack is, and how critical npm packages are to the broader software ecosystem, we have undertaken a phased approach in mandating 2FA for npm package maintainers. This has already rolled out to the top-100 package maintainers and top-500 package maintainers, and in the near future, maintainers of all high-impact packages (those with 1 million+ weekly downloads or 500+ dependents) will be enrolled in mandatory 2FA.

我们也认识到密码在短期内不会消失。对于未选择启用双重身份验证 (2FA) 的用户，我们会使用 一次性密码已发送到他们的邮箱 进行增强登录验证，以防止账户被盗用。

¥We also recognize that passwords aren’t going away any time soon. For users that don’t opt-in to 2FA, we do an enhanced login verification with a one-time password sent to their email to protect from account takeover.

通过注册过期的电子邮件域名

¥By registering an expired email domain

另一种接管账户的方法是识别使用过期域名作为电子邮件地址的账户。攻击者可以注册过期的域名并重新创建用于注册账户的电子邮件地址。攻击者可以通过访问账户的注册电子邮件地址，通过重置密码来接管未受双重身份验证 (2FA) 保护的账户。

¥Another method used to take over an account is by identifying accounts using an expired domain for their email address. An attacker could register the expired domain and recreate the email address used to register the account. With access to an account's registered email address an attacker could take over an account not protected by 2FA via a password reset.

发布软件包时，软件包发布时与账户关联的电子邮件地址将包含在公共元数据中。攻击者能够利用这些公共数据来识别可能容易被账户接管的账户。需要注意的是，当维护者更新其电子邮件地址时，存储在软件包公共元数据中的电子邮件地址不会更新。因此，抓取公共元数据以识别易受过期域名接管影响的账户将导致误报，即看似易受攻击但实际上并非如此的账户。

¥When a package is published the email address associated with the account, at the time the package was published, is included in the public metadata. Attackers are able to utilize this public data to identify accounts that might be susceptible to account takeover. It is important to note that the email addresses stored in public metadata of packages are not updated when a maintainer updates their email address. As such crawling public metadata to identify accounts susceptible to expired domain takeover will result in false positives, accounts that appear to be vulnerable but are not.

npm 会定期检查账户电子邮件地址中是否存在过期域名或无效的 MX 记录。当域名过期时，我们会禁止账户重置密码，并要求用户进行账户恢复或完成成功的身份验证流程后才能重置密码。

¥npm does periodically check if accounts email addresses have expired domains or invalid MX records. When the domain has expired, we disable the account from doing a password reset and require the user to undergo account recovery or go through a successful authentication flow before they can reset their password.

上传恶意软件包

¥Uploading Malicious Packages

通过 "typosquatting" / 依赖混淆

¥By "typosquatting" / dependency confusion

攻击者可能会尝试通过注册与热门软件包名称相似的软件包来诱骗他人安装恶意软件包，希望人们输入错误或混淆两者。npm 能够检测域名抢注攻击并阻止这些软件包的发布。

¥Attackers may attempt to trick others into installing a malicious package by registering a package with a similar name to a popular package, in hopes that people will mistype or otherwise confuse the two. npm is able to detect typosquat attacks and block the publishing of these packages.

这种攻击的一种变体是，一个公共包注册的名称与某个组织正在使用的私有包的名称相同。我们强烈建议使用 范围包，以确保私有软件包不会被公共注册表中的软件包替换。虽然 npm 无法检测依赖混淆攻击，但我们对注册表中的恶意软件包零容忍。如果你认为你识别出了依赖混淆包，请让我们了解！

¥A variant of this attack is when a public package is registered with the same name of a private package that an organization is using. We strongly encourage using scoped packages to ensure that a private package isn’t being substituted with one from the public registry. While npm is not able to detect dependency confusion attacks we have a zero tolerance for malicious packages on the registry. If you believe you have identified a dependency confusion package, please let us know!

通过更改现有软件包以产生恶意行为

¥By changing an existing package to have malicious behavior

攻击者不仅会诱骗用户使用名称相似的软件包，还会尝试在现有的热门软件包中添加恶意行为。npm 与 Microsoft 合作，会扫描软件包中是否存在已知的恶意内容，并运行软件包以查找可能存在恶意的新行为模式。这已大幅减少 npm 软件包中的恶意内容。此外，我们的信任与安全团队会检查并删除用户举报的恶意内容。与依赖混淆攻击类似，我们会不断更新检测服务，添加新的示例，因此如果你认为某个软件包包含恶意行为，请 请让我们了解！

¥Rather than tricking people into using a similarly-named package, attackers also try to add malicious behavior to existing popular packages. In partnership with Microsoft, npm both scans packages for known malicious content, and runs the packages to look for new patterns of behavior that could be malicious. This has led to a substantial reduction in malicious content in npm packages. Furthermore, our Trust and Safety team checks and removes malicious content reported by our users. Similar to dependency confusion attacks, we are constantly updating our detection services with new examples, so if you think a package contains malicious behavior, please let us know!