Friday, February 2, 2024

npmjs.com is Abused, Video Clips Flood npm Registry, Sparking Cleanup Efforts

 In an unexpected turn of events, npmjs.com, a platform primarily designed for hosting software artifacts, has been inundated with a peculiar type of content—movies, videos, and eBooks. This phenomenon, observed by the Sonatype Security Research team, has resulted in the discovery and removal of 748 packages from the npm registry.



Contrary to malicious intent, these packages stand out for housing multimedia content, specifically partial video clips, each approximately 54.5 MB in size. Uncovered under the tracking label sonatype-2024-0284, these packages have been present on the npm registry since at least December 4, 2023, with removal actions initiated by GitHub this week.


The originator of these unusual artifacts goes by the npm username "wlwz," a detail evident in the 'wlwz' prefix of the package names.


Inside each package, the video clips bear the '.ts' extension, indicating they were extracted from DVDs and Blu-ray discs, unrelated to TypeScript. Notably, some packages, like "wlwz-2312," feature timestamped Mandarin comments* within JSON files, adding an additional layer of intrigue to the situation.


This incident evokes memories of a similar episode in 2022 when Chinese developers were found utilizing GitHub and npm to store thousands of eBooks, potentially as a workaround for state censorship. However, it remains uncertain whether this recent surge in npm registry activity is solely an abuse of the platform for hosting pirated materials.


While the software development community often encounters registry challenges like cryptominers, spam packages, and dependency confusion malware, occurrences like these underscore the inventive ways users (and attackers) leverage such platforms. These seemingly benign actions have the potential to compromise the integrity and hygiene of these registries and, subsequently, the entire software supply chain.


In light of these developments, a crucial takeaway emerges: refraining from uploading videos to open-source software (OSS) registries is essential, as it likely constitutes a violation of their terms of service.


*Update, Feb 2nd, 2024: A clarification on the JSON file contents reveals that they represent time-synced user comments submitted to online video streaming platforms, not subtitles. The article has been updated accordingly based on reader feedback.

0 comments:

Post a Comment