arduino-ide-extension marked as malware

[rhaidiz]

Hello, this is the Arduino Security Team. We have recently came across an advisory published on GitHub (GHSA-7884-8cw4-qpgx) that is reporting the arduino-ide-extention as containing malware.
The package is part of a bigger project called Arduino IDE 2.x (https://github.com/arduino/arduino-ide) and has never been listed in the npm registry.

We believe this to be a part of an attempt from a threat actor to conduct some kind of dependency confusion on our repo.

We have already contacted NPM to let them know of the issue, we would also appreciated it if you could help us in removing this advisory, thanks.

[darakian]

Hey @rhaidiz, the npm team is 100% the right team to contact. If I had to guess, I think what may have happened is that someone uploaded a package named arduino-ide-extention to npm and that it was pure malware. The npm team would have then pulled it and this advisory was made in order to inform users who may have downloaded the package while it was up.

The advisory itself only applies to the package arduino-ide-extention on npmjs.com

[rhaidiz]

Thank you @darakian , my guess as well. However, now we are running in the issue of having yarn audit flagging any version of the arduino-ide-extension as containing malware. My guess is that since the advisory on GitHub shows that any version >= 0 is flagged as containing malware, any version we work on (we are currently at version 2.3.1) will be flagged as malicious by yarn audit.

NPM support has answered by showing that the NPM registry (https://www.npmjs.com/package/arduino-ide-extension) contains now a version "0.0.1-security" which is used as security placeholder.

My guess is that now the GitHub advisory should be updated to reflect that only versions >= 0 and < 0.0.1-security are affected, so to now disrupt when running yarn audit with any other version?

P.S.: I've updated the title of the issue to correct the spelling of package. Correct spelling is "arduino-ide-extension" and not "arduino-ide-extention"

[darakian]

yarn audit flagging any version of the arduino-ide-extension as containing malware.

What is it matching against though? Is there some other npm package with that name from a private registry or something you're using?

On the face of it this seems like a yarn bug to me as our data is quite clear that we're talking about the package with that name on npmjs.com

I'm not sure changing the versions would be much more than a hacky fix 😞

[rhaidiz]

I see, it is a bit confusing since the output from yarn audit links to npmjs.com which redirects to GitHub advisory database, and the GitHub advisory redirects back to npmjs.com, so my initial guess was that yarn audit was checking based on the version published on the GitHub advisory.

Let me see if I got this right: the advisories on GitHub are published based on information that npmjs.com is providing to GitHub, so npmjs.com doesn't have ad advisories database, they just use GitHub as a publisher, but any issue with the advisory itself should be discussed with npmjs.com. Moreover, whatever check is performed by yarn audit on the npm registry might not be related with details specified in the GitHub advisory itself and should also be discussed with npmjs.com.
Is that correct?

[darakian]

I am not familiar with how yarn uses our advisory data, but if they are raising the alert to you then I would guess that they are either finding the malware package in your dependency tree or they are mismatching on something. Hence I would raise the issue with them.

NPM used to have their own database but merged into us back in 2021
https://github.blog/changelog/2021-10-03-the-npm-advisory-database-is-now-part-of-the-github-advisory-database/
For malware takedowns we defer to npm on the specific advisories that are created for the malware.

[rhaidiz]

Shouldn't this advisory be updated anyway?
It says that the "arduino-ide-extension" package is affected by malware from version >= 0 and with no patched versions.
This clearly does not reflect what is published on the npmjs.com registry https://www.npmjs.com/package/arduino-ide-extension. Assuming yarn, or any other tool for that matter, uses advisories published on GitHub, especially since the NPM advisory database got merged into GitHub, to check for advisories, they would always flag any version as containing malware.

BTW I've contacted NPM support and they are telling me that changes to an advisory should be requested here and not to them.

[darakian]

It says that the "arduino-ide-extension" package is affected by malware from version >= 0 and with no patched versions.

Indeed. We do that so that anyone who had downloaded the malware package prior to it being pulled will get an alert. So, no I don't think we want to update the advisory.

they would always flag any version as containing malware.

Correct. If the package was only ever malware then that is the desired behavior.

[dankeboy36]

they would always flag any version as containing malware.

Correct. If the package was only ever malware then that is the desired behavior.

@darakian, could you please explain why I get the malware warning when my private npm package happens to have the "arduino-ide-extension" name? I set up a bare minimum example to reproduce it: dankeboy36/ghsa-7884-8cw4-qpgx.

Isn't it a false positive warning when I run npm i or npm audit in the project root? My assumption about how npm audit works is most likely incorrect, so if you could clone the repo, try it, and explain why the warning is expected, it would be super helpful. Thank you!

[darakian]

@darakian, could you please explain why I get the malware warning when my private npm package happens to have the "arduino-ide-extension" name?

I can. The npm cli does not distinguish packages based on source during alert delivery. There's an rfc open for that to change you can view here
npm/rfcs#739

[ljharb]

It’s probably best anyways to use a scope, even if it’s internal-only, to avoid confusion.

[KateCatlin]

Hey all! Doesn't seem like there's much more we can do here as we are unable to change npm malware advisories. Any last questions before I close this issue out?

[rhaidiz]

Hey @KateCatlin and @darakian apologies for a late reply, I've been out of office for a few days and I'm now back.
We have been having some internal conversation and agreeded that the best course of action is to scope the package that we develop under our organisation. I've submitted a support request to GitHub to update the text of the advisory to highlight that the package in question is not affiliated with Arduino. The advisory has been updated and soon we will push a change to our code base to have the package properly scoped.

Thank you all for you patient and support on the matter.
Cheers.

[darakian]

@rhaidiz happy to help and sorry for the back and forth. Glad you're happy with the outcome and thank you for caring enough to take the time to open this issue as well :)

Feel free to drop by anytime with any other comments/criticisms as well. Hopefully we can do more for you next time 😉