Unseen Risks: Navigating Hidden Threats in NPM, NuGet, PIP, Chrome Extensions, and Docker Images for Everyday Tasks

Background: There are situations when developers and non-technical users encounter tasks that require simple solutions. Instead of handling everything on their own, they often rely on ready-made packages, extensions, and other tools. But have you ever considered that these can come with risks?

Classic scenario: Let’s take a look at a real extension. In the Chrome Web Store, there’s a solution that offers the functionality of Notepad++ within it, and it has a pretty good download count.

Now let’s take a look at the source code. At a glance, we can see that the core of the extension uses an "iframe."

Upon inspection, we can see that the extension connects us to a remote machine running QT.

Risks from such an implementation for organizations. 1. Staff can input a lot of sensitive information into it, which poses a risk to our data. 2. We do not know what type of configurations have been made by the extension developer team. 3. The extension implementation does not incorporate a zero trust method.

The example above is one of the factors that can put our environment at risk. Another scenario involves developers using NPM or NuGet packages, such as one that transforms text to lowercase. Interestingly, this particular package has about 21 million downloads per week, which means it is integrated into the core of many other projects.

Conclusion: Packages, Docker images, and extensions make our lives more comfortable, but that doesn’t mean we should leverage them for every easy task. One method to restrict the installation of such items in an environment is to maintain better control over what is allowed.