Safely Exploring Malicious NPM Packages: A Guide to Using Verdaccio for Secure Testing

Software supply chain attacks are becoming increasingly common, posing significant risks to entire ecosystems. Detecting, analyzing, and mitigating these threats is crucial for security researchers and engineers. This guide explores how to use Verdaccio—a lightweight Node.js package proxy registry—as a controlled environment for safely testing malicious packages.

---

Why Use a Controlled Environment?

Testing malicious packages in live environments is both unethical and illegal. Instead, a controlled environment like Verdaccio allows researchers to:

• Simulate Real-world Scenarios: Recreate production-like conditions without endangering external systems.

• Analyze Package Behavior: Isolate and monitor the telemetry of malicious code.

• Enhance Defense Mechanisms: Develop and test detection systems without disrupting legitimate users.

---

Setting Up Verdaccio

1. Install Verdaccio:

    PS C:\Users\user\npm-lib> npm install -g verdaccio
   
    added 276 packages in 25s
   
    47 packages are looking for funding
      run `npm fund` for details
   

   Learn more in the Verdaccio Official Documentation.

2. Run the Server:

    PS C:\Users\user\npm-lib> verdaccio
    info --- config file  - C:\Users\user\AppData\Roaming\verdaccio\config.yaml
    info --- the "crypt" algorithm is deprecated consider switch to "bcrypt" in the configuration file. Read the documentation for additional details
    info --- using htpasswd file: C:\Users\user\AppData\Roaming\verdaccio\htpasswd
    info --- plugin successfully loaded: verdaccio-htpasswd
    info --- plugin successfully loaded: verdaccio-audit
    warn --- http address - http://localhost:4873/ - verdaccio/6.0.5
    info <-- ::1 requested 'GET /'
    [....]
    info <-- ::1 requested 'GET /-/verdaccio/data/packages'
   

   

3. Set Up Authentication: Setup user name and password from the CLI, and then login to the web portal.

    PS C:\Users\user> npm adduser --registry http://localhost:4873/
    npm notice Log in on http://localhost:4873/
    Username: harekrishnarai
    Email: (this IS public) lalaxxn@gmail.com
    Logged in on http://localhost:4873/.
   

   After, logging into the portal, you will be having such portal running on http://localhost:4873 port.

I created a post-install script based malicious package here, which is listed above on verdaccio portal. Also, before pushing the library to verdaccio, make sure to set npm registry path to http://localhost:4873/

Configure Verdaccio (Optional) : Modify the configuration file to enforce access restrictions and enable auditing:

security:
  api: true
  web: true
storage: ./storage

---

There are so many other techniques for developing malicious packages like, these :

• Supply Chain Attack Methods:

  • Typosquatting: Publish packages with similar names to popular ones (e.g., lodash-express vs. lodash). Learn more about Typosquatting Attacks.

  • Dependency Confusion: Create packages mimicking internal corporate naming conventions. Discover insights on Dependency Confusion Attacks.

  • Embedded Payloads: Include malicious scripts, such as data exfiltration or cryptominers, triggered by specific conditions.

• Dynamic Payloads: Activate malicious behavior based on environment variables, IP addresses, or specific configurations.

• Code Obfuscation: Use tools to obscure code and hinder detection efforts.

• Exfiltration Techniques: Simulate data theft using DNS tunneling, HTTP requests, or covert channels.

---

Testing Detection Tools

Evaluating the performance of security tools ensures they can identify and mitigate threats effectively:

• Static Analysis Tools: Assess detection capabilities with tools like semgrep, SonarQube, or eslint. Learn more on the Semgrep Official Site.

• Dynamic Analysis: Observe real-time behavior with monitoring tools such as strace, Wireshark, or sysdig.

• Software Composition Analysis (SCA): Test tools like Snyk, OSS Index, or WhiteSource for vulnerability and malware identification.

---

Monitoring Malicious Behavior

Utilize these strategies to analyze package behavior effectively:

• File and Network Monitoring: Log attempts to access files or networks within the controlled test environment.

• Detailed Telemetry: Enable logging to trace execution paths and dependency usage.

---

Deploying Defenses

Simulating attacks in a controlled environment helps develop and validate robust defenses:

1. Centralized Package Caching: Employ tools like Artifactory or Nexus Repository to proxy and pre-validate dependencies.

2. Use Lockfiles: Enforce lockfiles (e.g., package-lock.json) to prevent unauthorized dependency updates. Learn more about Lockfiles.

3. Restrict Scopes: Limit installations to trusted sources and specific registry scopes.

---

Ethics and Best Practices

Maintaining ethical standards is vital for responsible security research:

• Legal Compliance: Always operate within legal boundaries and obtain necessary permissions.

• Thorough Documentation: Record research processes meticulously for transparency and reproducibility.

• Responsible Disclosure: Inform package authors or repository maintainers promptly about any vulnerabilities identified. Learn about Responsible Disclosure Guidelines.

"Responsible disclosure is a cornerstone of ethical security research." — Trusted Security Authority

---

Conclusion

Using controlled environments like Verdaccio ensures a safe, ethical way to study malicious package behaviors and their impacts. By combining systematic testing, vigilant monitoring, and adherence to best practices, researchers can strengthen defenses against software supply chain attacks and contribute to a more secure ecosystem.