Wolf at the Door: Preventing Install-Time Attacks in npm with Latch

Abstract

The npm software ecosystem allows developers to easily import code written by others. However, manual vetting of every individual installed component is made difficult in many cases by the number of transitive dependencies brought in by installing popular packages. This has enabled attackers to propagate malicious code by hiding it deep into the dependency chains of popular packages. A particularly dangerous form of attack comes from malicious code embedded into package install scripts. We tackle the problem of preventing undesirable install-time behavior by proposing Latch, a system for mediating install-time capabilities of npm packages. Latch generates permission manifests summarizing each package's install-time behavior and checks them against user-defined policies to ensure compliance. Policies in Latch are expressed in a rich formal policy language that covers a broad range of use cases. Our key insight is that expressive Latch policies empower users to define and enforce their own individualized security needs. Evaluation of practical Latch policies on all publicly available npm packages and on a number of real-world attack packages demonstrates that our approach is effective in identifying and stopping unwanted behavior while minimizing disruption due to undesired alerts.