Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[GHSA-93jq-pwrf-g6h6] cannot find in database, but linked from npm audit. (@piwikpro/ngx-piwik-pro / piwik-pro-angular-tracking) #1718

Closed
koesper opened this issue Feb 22, 2023 · 2 comments

Comments

@koesper
Copy link

koesper commented Feb 22, 2023

When installing @piwikpro/ngx-piwik-pro, i received an critical malware message from npm audit.

That linked to GHSA-93jq-pwrf-g6h6, but i cant find any more information about it.
While searching through the advisory-database, i also cannot find a file with that name in any of the folders.

What is happening? is this package truly contaminated, or is this a false alarm?
If so, what can the package owners do about it?

I've opened an issue on the package itself here

@koesper
Copy link
Author

koesper commented Feb 22, 2023

After a wild goosechase, we figured out that there actually was a package with the name piwik-pro-angular-tracking, that was flagged for malware.
How exactly that triggered warnings during npm audit of @piwikpro/ngx-piwik-pro is still not entirely clear to me, but we now understand that that name actually exists in the package.json of the repo that builds the npm module. Not in the package.json of the npm module itself.

@KateCatlin
Copy link
Collaborator

@koesper thank you for proactively sharing your experience and concern.

On June 15th, we announced GitHub added malware advisories to the GitHub Advisory Database, though we do not send Dependabot alerts on them nor are the published to the repository here.

We found that the majority of those alerts in question (possibly including the one you raised) were for substitution attacks. During these types of incidents, an attacker would publish a package to the public registry with the same name as a dependency users rely on from a third party or private registry, with the hope a malicious version would be consumed. As Dependabot doesn’t look at project configuration to determine if the packages are coming from a third-party registry, it has been triggering a notification for packages with the same name from the public npm registry. To resolve this issue in the short term, we we paused all Dependabot notifications on malware advisories and will work to determine how to best notify customers of being the target of a substitution attack going forward.

If you think that this advisory has been created in error, you can reach out to NPM support to clarify!

I'm going to close this Issue as there is no further action that we can take, but please reopen a new one if you have another ask!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants