NPM 8.11.0 audit reporting that library has Malware

[Christian-Sesta]

Recently upgraded to a newer version of node and jsut saw this vulnerability from the npm audit logs. Is this something you guys can look into as its quite worrying.

connect-rtc-js *
Severity: critical
Malware in connect-rtc-js - GHSA-pgj5-6g64-97p4
No fix available
node_modules/connect-rtc-js

1 critical severity vulnerability

[Christian-Sesta]

@yiming-amzn by chance was this also fixed as part of the previous release?

[yiming-amzn]

Hello, thanks for bringing this up! I look into it and get back to you when I have an estimate.

[mike-saavedra]

TLDR; GitHub: "Oops our bad, but we're not going to do anything about it. Take it up with NPM"

I also got the npm audit critical alert when installing this public npm package. Even when using git hash or local folder as reference in package.json, I still get the error because npm only matches the package name to their database of advisories and flags it.

After some research, I see that npm depends on GitHub's advisory database as it's source of truth. The problem is that GitHub seems unwilling to remove even falsely accused repos and the repo owners have to take it up with npm to restore their project to good standing.

Here are some examples of similar issues where victims of GitHub's advisory database have reported the same thing.

In most of them you'll see this template response from someone on their team:

On June 15th, we announced GitHub added malware advisories to the GitHub Advisory Database, though we do not send Dependabot alerts on them nor are the published to the repository here.

We found that the majority of those alerts in question (possibly including the one you raised) were for substitution attacks. During these types of incidents, an attacker would publish a package to the public registry with the same name as a dependency users rely on from a third party or private registry, with the hope a malicious version would be consumed. As Dependabot doesn’t look at project configuration to determine if the packages are coming from a third-party registry, it has been triggering a notification for packages with the same name from the public npm registry. To resolve this issue in the short term, we we paused all Dependabot notifications on malware advisories and will work to determine how to best notify customers of being the target of a substitution attack going forward.

If you think that this advisory has been created in error, you can reach out to NPM support to clarify!

As I am not the repo owner here, I cannot help any further. @yiming-amzn could you find out who is Amazon's official repo owner for this project in NPM and ask them to reach out? We are building a custom CCP and this will cause us to fail our security audits. Thank you!

[Christian-Sesta]

Just checking on the status of this fix and if there are any plans to address it? It has been 3 years after all.

@yiming-amzn @siwei-w