Summary: Security researchers have flagged a massive resurgence of “Manifest Confusion” attacks on the npm registry. Threat actors are publishing packages where the `package.json` manifest (which developers read) differs from the actual tarball (which the installer executes). This discrepancy hides malicious install scripts and dependencies from standard security scans.
Business Impact: Supply Chain Stealth. This technique bypasses many automated composition analysis (SCA) tools that only inspect the manifest. If your developers install these packages, they could silently introduce backdoors into your applications without raising any red flags.
Why It Happened: The npm registry still relies on client-side validation for certain metadata fields. Attackers are exploiting this legacy architecture to “lie” about what is inside the package.
Recommended Executive Action: Configure your artifact scanners (like Snyk or Sonatype) to perform “Deep Analysis” that inspects the actual archive contents, not just the manifest. Block packages with mismatched metadata immediately.
Hashtags: #npm #SupplyChain #ManifestConfusion #DevSecOps #AppSec #Malware