New research has discovered over 800 packages in the npm registry which have discrepancies from their registry entries, out of which 18 have been found to exploit a technique called manifest confusion.

The findings come from cybersecurity firm JFrog, which said the issue could be exploited by threat actors to trick developers into running malicious code.

"It's an actual threat since developers may be tricked into downloading packages that look innocent, but whose hidden dependencies are actually malicious," security researcher Andrey Polkovnichenko told The Hacker News.


Manifest confusion was first documented in July 2023, when security researcher Darcy Clarke found that mismatches in manifest and package metadata could be weaponized to stage software supply chain attacks.

The problem stems from the fact that the npm registry does not validate whether the manifest file contained in the tarball (package.json) matches the manifest data provided to the npm server during the publishing process via an HTTP PUT request to the package URI endpoint.

As a result, a threat actor could take advantage of this lack of cross verification to supply a different manifest containing hidden dependencies that's processed during package installation to stealthily install malicious dependencies onto the developer's system.

"The visible, or 'fake,' manifest can mislead developers and even audit tools that rely on the data available in the npm registry database," JFrog said. "In reality, the installer takes the file package.json from the tarball, which may be different from the visible one supplied in the HTTP PUT request."

Manifest Confusion

The company said it identified more than 800 packages where there was a mismatch between the manifest in the npm registry and the package.json file inside the tarball.

While many of these mismatches are the result of protocol specification differences or variations in the scripts section of the package file, 18 of them are said to have been designed to exploit manifest confusion.

However, it's worth noting that a majority of these packages are proof-of-concept exploits, indicating that the attack method was never put to use to craft a malicious package as part of an attack campaign.


The findings show that the attack vector has never been put to use by threat actors to conduct poisoning attacks. That said, it's crucial that developers take steps to ensure the packages are free of suspicious behaviors.

"Since this issue was not resolved by npm, trusting packages only by how they look on npm's website, might be risky," Polkovnichenko said.

"Organizations should introduce procedures that verify that all packages that enter the organization or are used by their dev teams are safe and can be trusted. Specifically in the case of manifest confusion, it's required that every package is analyzed to see if there are any hidden dependencies."

(The story has been updated after publication to emphasize that the packages observed so far are proof-of-concepts and none of them were put to use in an actual campaign.)

Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.