NPM has about 4 million packages, Maven Central has about 3 million packages.

If this were true, wouldn't there have been at least one Maven attack by now, considering the number of NPM attacks that we've seen?

Been a while since I looked into this, but afaik Maven Central is run by Sonatype, which happens to be one of the major players for systems related to Supply Chain Security.

From what I remember (a few years old, things may have changed) they required devs to stage packages to a specific test env, packages were inspected not only for malware but also vulnerabilities before being released to the public.

NPM on the other hand... Write a package -> publish. Npm might scan for malware, they might do a few additional checks, but at least back when I looked into it nothing happened proactively.

npm is run by github / microsoft now, which also sells security products...

There were. They're just not as popular here. For example https://www.sonatype.com/blog/malware-removed-from-maven-cen...

Maven is also a bit more complex than npm and had an issue in the system itself https://arxiv.org/html/2407.18760v4

As of 2024, Maven had 1.5 trillion requests annually vs npm's 4.5 trillion - regardless of package count, 3x more downloads in total does make it a very big target (numbers from https://www.sonatype.com/state-of-the-software-supply-chain/...).

No. Having many packages might not be the only reason to start an attack. This post shows it is/was possible in the Maven ecosystem: https://blog.oversecured.com/Introducing-MavenGate-a-supply-...

One speculation would be is that most Java apps in the wild use way older Java versions (say 17/11, while the latest will LTS is 21).

Okay then, explain to me why this is only possible with NPM? Does it have a hidden "pwn" button that I don't know about?

>Does it have a hidden "pwn" button that I don't know about?

Perhaps its package owners do.

NPM executes packages as you download them.

Make no mistake, Maven Central does get multiple malware components uploaded each year, though not nearly to the same extent as npm or pypi. Sonatype (my former employer) just doesn't report on these publicly each time it happens. It's not an isolated problem but certainly harder to do with maven.

I assume you're talking about malware uploaded to new artifact coordinates (possibly named so as to try to confuse users), not hijacking of existing artifact coordinates (group ID, artifact ID)?

generally yes, although hijacking can and has happened on Central with expired maintainer domains reclaimed by threat actor who can then republish malicious versions of a previously legit group/artifact ID. there's also the problem of mirrors or copies of hijacked npm being replicated on Central -https://x.com/SocketSecurity/status/1993389518247149907

The concern is not 'could' happen, but _does_ happen. I know this could occur in many places. But where it seems highly prevalent is NPM.

And I am genuinely thinking to myself, is this making using npm a risk?

Just use dependency cooldown. It will mitigate a lot of risk.

If you started your Node project yesterday, wouldn't that mean you'd get the fix later?

no, because if you used dependency cooldown you wouldn't be using the latest version when you start your project, you would be using the one that is <cooldown period> days/versions old

edit: but if that's also compromised earlier... \o/

Obviously you bypass the cooldown to fix critical issues.

NPM is the largest possible target for such an attack.

Attack an important package, and you can get into the Node and Electron ecosystem. That's a huge prize.

Value is one thing but the average user (by virtue of being popular) will be just less clued in on any security practices that could mitigate the problem.