We are excited to introduce a new Device Property to Kolide’s data collection capabilities, NPM Packages.
For the unfamiliar, the Node Package Manager (or NPM) is used by developers and
users to obtain and manage Node.js libraries that they can utilize inside of
scoped to specific code folders, users also have the ability to install
packages globally on a device. NPM is often used to install CLI tools that
are invoked directly by end users in their terminal. For example, the
npm install -g grunt will install the
grunt package and make the
grunt command available in the terminal automatically.
Over the last few years, you may have noticed a substantial increase in supply chain attacks on popular package management systems. In a supply chain attack, a bad actor obtains control of a popular package, pushes a new version that contains a malicious payload, and then distributes it via official channels. In this scenario, package managers like NPM may download the malicious version of the package and automatically execute the payload which then compromises the device.
While Microsoft (the owner of the NPM registry) continues to bolster the security of the NPM registry– most recently, requiring two-factor auth for the top 500 maintainers– these supply chain attacks continue to be a risk. Getting visibility of NPM packages across your device fleet is now an important requirement for many IT and Security practitioners even for devices used by non-developers.
Kolide is now capable of providing that visibility by default for all three platforms we support (Mac, Windows, and Linux).
While the osquery agent has supported enumerating NPM packages in the past,
this support was severely lacking. First, it only worked on Linux devices, and
second, it had an out-of-date list of folders it would scan looking for
Last March, Kolide contributed a PR that improved this table significantly. It brings support to both Mac and Windows, while simultaneously expanding the list of locations Node.js itself is installed by third-party package managers like Homebrew.
Recently, the osquery core-team released version 5.3.0, which brought this new
npm_packages table to the main-stream. Once this version was proliferated
across our customers, we wanted to swiftly add support for it in Kolide’s
We’ve also made this information available in our Reporting DB feature where you can query the data to build your own reports and even your own API endpoints.
Like many of our other Inventory items, in addition to the data Kolide obtains from the osquery table, Kolide wil also reach out programmatically to the NPM registry’s API and decorate the data with information like:
- the latest published version
- the date that version was released
- a list of the package’s keywords
- the package’s maintainers
- the week’s download count
This information is automatically updated at least every 48 hours and allows you to do some novel queries inside of our reporting DB.
If you want to know more about NPM Packages outside the default folders, the
npm_packages table can take an optional
directory argument and enumerate
package.json file in any directory you choose.
Here is an example Live Query run on my Mac that enumerates some of the NPM packages we use in the Kolide product. Feel free to adjust the query to your needs!
directorycolumn to enumerate the NPM packages in any directory with a valid
- The purpose of collection
- Privacy information
- A representative data set of what information the device will return
We collect NPM Packages by default. If you don’t want to collect this data from your fleet, you can also take advantage of our new data collection opt-out feature.
We hope you enjoy this new addition to Inventory. As always, we encourage you to reach out to us for more suggestions, questions, and feedback. If there is something Kolide should be enumerating, we want to know about it!