New Device Inventory: NPM Packages

Jason Meller
June 28th, 2022

We are excited to introduce a new Device Property to Kolide’s data collection capabilities, NPM Packages.

You can read more about our NPM Packages support in our new Inventory docs

What is NPM?

For the unfamiliar, the Node Package Manager (or NPM) is used by developers and users to obtain and manage Node.js libraries that they can utilize inside of a software project that uses Javascript. While these packages are typically scoped to specific code folders, users also have the ability to install packages globally on a device. NPM is often used to install CLI tools that are invoked directly by end users in their terminal. For example, the command npm install -g grunt will install the grunt package and make the grunt command available in the terminal automatically.

Many NPM Packages globally install binaries in your $PATH

Why Did Kolide Add NPM Package Visibility?

Over the last few years, you may have noticed a substantial increase in supply chain attacks on popular package management systems. In a supply chain attack, a bad actor obtains control of a popular package, pushes a new version that contains a malicious payload, and then distributes it via official channels. In this scenario, package managers like NPM may download the malicious version of the package and automatically execute the payload which then compromises the device.

While Microsoft (the owner of the NPM registry) continues to bolster the security of the NPM registry– most recently, requiring two-factor auth for the top 500 maintainers– these supply chain attacks continue to be a risk. Getting visibility of NPM packages across your device fleet is now an important requirement for many IT and Security practitioners even for devices used by non-developers.

Kolide is now capable of providing that visibility by default for all three platforms we support (Mac, Windows, and Linux).

How Does NPM Package Visibility Work?

While the osquery agent has supported enumerating NPM packages in the past, this support was severely lacking. First, it only worked on Linux devices, and second, it had an out-of-date list of folders it would scan looking for package.json files.

Last March, Kolide contributed a PR that improved this table significantly. It brings support to both Mac and Windows, while simultaneously expanding the list of locations Node.js itself is installed by third-party package managers like Homebrew.

Recently, the osquery core-team released version 5.3.0, which brought this new npm_packages table to the main-stream. Once this version was proliferated across our customers, we wanted to swiftly add support for it in Kolide’s Device Inventory.

NPM Packages can be searched for in the top-level Super Duper Search

We’ve also made this information available in our Reporting DB feature where you can query the data to build your own reports and even your own API endpoints.

NPM Registry API Augmentation

Like many of our other Inventory items, in addition to the data Kolide obtains from the osquery table, Kolide wil also reach out programmatically to the NPM registry’s API and decorate the data with information like:

  • the latest published version
  • the date that version was released
  • a list of the package’s keywords
  • the package’s maintainers
  • the week’s download count

This information is automatically updated at least every 48 hours and allows you to do some novel queries inside of our reporting DB.

Kolide’s Inventory Docs now include example queries you may wish to run in our Reporting DB

Running Live Queries

If you want to know more about NPM Packages outside the default folders, the npm_packages table can take an optional directory argument and enumerate the top-level package.json file in any directory you choose.

Here is an example Live Query run on my Mac that enumerates some of the NPM packages we use in the Kolide product. Feel free to adjust the query to your needs!

In a Live Query, You can use the the directory column to enumerate the NPM packages in any directory with a valid package.json file.

Privacy Center and Data Collection

Like all of our device properties, we have included relevant information about NPM packages in the Privacy Center. This includes:

  • The purpose of collection
  • Privacy information
  • A representative data set of what information the device will return

We collect NPM Packages by default. If you don’t want to collect this data from your fleet, you can also take advantage of our new data collection opt-out feature.

We hope you enjoy this new addition to Inventory. As always, we encourage you to reach out to us for more suggestions, questions, and feedback. If there is something Kolide should be enumerating, we want to know about it!

Share this story:

More articles you
might enjoy:

Introducing the Check Catalog
Jason Meller
Configure Multiple Checks at Once!
New: Custom Slack Messages for Checks
Watch a Demo
Watch a Demo