cli icon indicating copy to clipboard operation
cli copied to clipboard
verified publisher icon npm

Proposal to Enhance Supply Chain Security Protections on NPM CLI

Open HackingRepo opened this issue 3 months ago • 3 comments

Hello, NPM Team

I propose that NPM implement an optional security check in the CLI that scans packages for obfuscated code. If suspicious patterns are detected (e.g., excessive eval usage, long encoded strings), the CLI should display a warning like:

WARN: The NPM Package [PACKAGE_NAME] may be suspicious. Contains obfuscated code.

This would provide developers with early alerts against potential supply chain attacks.

I Propose This to enhance NPM and become a safe place for development. A large number Of Supply Chain attacks occur, and a serious one on September 8, Sep 16, and others. By Implementing The Protection, this makes NPM a safe place for developers

You Can Implement This by checking if This Version of the Tarball, after being extracted, Suspicious Obfuscated JS and Long Line JS code are indicators of a Supply Chain Attack.

HackingRepo avatar Sep 17 '25 18:09 HackingRepo

The moment these indicators are used by npm, they will stop being indicators, because attackers will just move on to alternative approaches, including shipping wasm (which is always "obfuscated").

ljharb avatar Sep 17 '25 19:09 ljharb

Hello, @ljharb

Thank you for the thoughtful feedback — you raise a valid point that attackers will adapt and try other approaches, like using WASM, to evade detection.

You Can do For Linux:

If a package contains .wasm files, the NPM CLI should attempt to convert them to .wat (WebAssembly Text format) using wasm2wat.

If wasm2wat is available on the system:

Decompile the .wasm to .wat

Perform simple heuristic checks (function names, strings, imports)

Display any suspicious indicators to the developer

If wasm2wat is not available:

Do not silently ignore the .wasm

Instead, show a warning like:

[WARN] The package contains WebAssembly (.wasm) code, which was not analyzed.
Make sure it is not malicious before installing. For Analysis, install the 'wabt' package

For Windows:

You can bundle a Binary 'wasm2wat.exe' as part of the NPM setup and

Decompile the .wasm to .wat

Perform simple heuristic checks (function names, strings, imports)

Display any suspicious indicators to the developer

After this, you can analyze the .wat file to determine if it is a suspicious file for suspicious patterns and check for indicators of obfuscation or malicious behavior. This includes examining function names for randomness, inspecting indirect function calls (call_indirect), reviewing memory operations, and looking for embedded strings or data segments that may indicate encoded payloads and print like this

[WARN] The WASM file, after conversion to a .wat file, appears to be obfuscated.
Ensure you review it carefully before installing.

By analyzing JS and Wasm, make Evaison Harder. I Recommend Implementing The Both

HackingRepo avatar Sep 18 '25 11:09 HackingRepo

There is an alternative solution to this issue with an issue opened here - https://github.com/npm/cli/issues/8570

omonk avatar Sep 19 '25 07:09 omonk