advisory-database icon indicating copy to clipboard operation
advisory-database copied to clipboard
verified publisher icon github

Our private github packages are showing up as malware

Open martintreurnicht opened this issue 3 years ago • 1 comments

Related to https://github.com/github/advisory-database/issues/422

We started getting this dependabot alert https://github.com/advisories/GHSA-9824-332p-264p. It's unclear why this has happened, and I'm unsure how to resolve this. In the other issue the creator mentions that having a shadow package in npmjs.com caused this problem for them, we don't publish to npmjs.com anymore, but we used to do that under a different package name, but that was many months ago and would be weird for it to only pop up now

martintreurnicht avatar Jun 21 '22 17:06 martintreurnicht

I believe I understand because I saw a similar situation.
They're alerting because they see a reference in your repo to a package name in which they found malware in a public package with the same name. Look at the package name they reference on npmjs - it is most likely going to show something like "published 0.0.1-security", meaning npm found malware and replaced the package with a no-op package. The dependabot alert scanner doesn't know your using a local package with that name. They do know there is an npm package with that name which had malware, so they're alerting. The recommended solution to avoid the alert (and risk) is to scope internal packages to scopes you own.

You got the alert now because they kicked off an effort to publish advisories for malware packages yesterday. https://github.blog/2022-06-15-github-now-publishes-malware-advisories-in-the-github-advisory-database/

InnovateWithEric avatar Jun 21 '22 23:06 InnovateWithEric

@martintreurnicht thank you for proactively sharing your experience and concern.

On June 15th, we announced GitHub added malware advisories to the GitHub Advisory Database, though we do not send Dependabot alerts on them.

We found that the majority of those alerts in question (possibly including the one you raised) were for substitution attacks. During these types of incidents, an attacker would publish a package to the public registry with the same name as a dependency users rely on from a third party or private registry, with the hope a malicious version would be consumed. As Dependabot doesn’t look at project configuration to determine if the packages are coming from a third-party registry, it has been triggering a notification for packages with the same name from the public npm registry. To resolve this issue in the short term, we we paused all Dependabot notifications on malware advisories and will work to determine how to best notify customers of being the target of a substitution attack going forward.

If you are the owner of this package, it seems your package was the target of a substitution attack. However, it does not mean that there is an immediate action to be taken on your part as the malware has already been removed from the npm registry.

If you think that this advisory has been created in error, you can reach out to NPM support to clarify!

I'm going to close this Issue as there is no further action that we can take, but please reopen a new one if you have another ask!

KateCatlin avatar Feb 15 '23 21:02 KateCatlin