Security Issue: Risk of Dependency Confusion with `scancode-workbench`

[PlayerIUnknown]

Description

I have identified a potential security risk related to a Dependency Confusion vulnerability within our project. Our package.json refers to the package named scancode-workbench, which, according to our findings, does not exist on the public npm registry. This poses a risk that a malicious package could be uploaded to npm with the same name, leading our build systems to accidentally pull and use the malicious package instead of our intended local or private repository package.

Affected Package

Package Name: scancode-workbench
Current Usage: Referenced in package.json as the project name and included as a dependency.
Version: 4.0.3

Risk Impact

If an attacker were to upload a malicious package to npm under the scancode-workbench name with a higher version number, they could execute arbitrary code within our systems or steal sensitive data, depending on how the package is utilized within our projects.
Every single time anyone would use the command npm install pkg name, the malicious package would be fetched. Even in automated pipelines, the higher version number of the malicious package on the public registry would cause a public vs private dependency confusion and might make systems fetch the malicious version of our package.

Steps to Reproduce

1. Check the npm registry for scancode-workbench: [(https://registry.npmjs.org/scancode-workbench)]
2. Observe that the package does not exist on npm, presenting a risk for dependency confusion attacks.

Proposed Solutions

To mitigate this risk, we have a couple of options:

1. Claim the Package Name on npm: By claiming the package name on npm, we can prevent unauthorized parties from uploading a malicious package with the same name. This involves creating a minimal, benign package under the scancode-workbench name to reserve it.

2. Mark the Package as Private: If the package is intended for internal use only and not meant to be published, we should specify this in our package.json by adding "private": true. This ensures that npm will refuse to publish it, avoiding any accidental exposure.

   Example:

   {
     "name": "scancode-workbench",
     "version": "4.0.3",
     "private": true,
     "description": "An application for viewing ScanCode results and concluding component origin and license"
   }

Action Required

• Decide on claiming the package name or marking it as private.
• Implement the chosen solution to secure our package management workflow.

Additional Information

• Reviewing our internal dependency management policies to avoid similar issues in the future.
• Ensuring all developers are aware of the implications of public vs. private packages in npm.

[OmkarPh]

We're not trying to install scancode-workbench anywhere, however we might still want to claim the name.
What do you think @AyanSinhaMahapatra @pombredanne ?

[pombredanne]

@OmkarPh Sadly, I think we should "squat" our own project names to avoid abuses and squatting by others. This is eventually far reaching, as it would technically expand to all the main package repositories and not just npm.

Let's start with here!

@OmkarPh can you tell me the procedure to follow? I would like to have me or Ayan do it ourselves.

[OmkarPh]

I've published a couple of packages before, Broadly these are the steps -

• Register on npm - https://www.npmjs.com/signup
• Ensure you've node and npm installed.
  Login to CLI - npm login (Refer this for 2FA - https://docs.npmjs.com/accessing-npm-using-2fa)
• Create a basic package folder (package.json, README and a LICENSE)
  More details - https://docs.npmjs.com/creating-a-package-json-file
  As @PlayerIUnknown mentioned above, we can mark it as private if needed
• Then do npm publish (Verify published packages from npmjs.com web ui)