How to List NPM Packages Across All Mac, Windows, and Linux Devices
Using Kolide, you can easily view and query NPM Packages across your fleet.
Introduction
Javascript (often abbreviated as JS) is a popular programming language used for both web apps and on-device software (typically created via a JS runtime called Node.js). In order for some Javascript programs to work, they must import third party libraries which are obtained from package registries. Node Package Manager (or NPM) is a package manager for importing and managing the dependencies for various JS third-party libraries. In addition, NPM also refers to the registry in which packages can be obtained.
While NPM packages are typically installed locally on a per-project basis,
you can also install system-wide (or global) packages that install command-line
tools that are available in the default $PATH.
Kolide collects these globally installed NPM packages that are found in the following locations:
/usr/local/lib/opt/homebrew/lib/usr/lib/home/%/.npm-global/lib/Users/%/.npm-global/libC:\Users\%\AppData\Roaming\npm- Paths in
[HU|HKLM]\SOFTWARE\Node.js\InstallPath
What NPM Package Data Can Kolide Collect?
Kolide's endpoint agent bundles in osquery to efficiently collect NPM Packages from Mac, Windows, and Linux devices in your fleet. Once collected, Kolide will parse, clean up, and centrally store this data in Inventory for your team to view, query, or export via API.
Kolide meticulously documents every piece of data returned so you can understand the results.
NPM Packages Schema
| Column | Type | Description | |
|---|---|---|---|
| id | Primary Key |
Unique identifier for the object |
|
| device_id | Foreign Key |
Device associated with the entry |
|
| device_name | Text |
Display name of the device associated with the entry |
|
| author | Text |
NPM package author |
|
| directory | Text |
Directory where NPM packages are located |
|
| homepage | Text |
The author supplied homepage of the NPM package |
|
| license | Text |
The author supplied license of the NPM package |
|
| name | Text |
NPM package display name |
|
| npm_registry_downloads_report | Jsonb |
The raw JSON response from NPM Registry API regarding weekly downloads |
|
| npm_registry_keywords | Text[] |
Package author provided keywords registered in the NPM Registry |
|
| npm_registry_latest_version | Text |
The latest version available for this extension in the NPM Registry |
|
| npm_registry_maintainers | Jsonb |
Package author provided maintainers registered in the NPM Registry |
|
| npm_registry_release_tags | Jsonb |
The distribution tags for the package (often to define releases) registered in the NPM Registry |
|
| npm_registry_updated_at | Timestamp |
The freshness of the NPM Registry data associated with this package |
|
| npm_registry_version_released_at | Timestamp |
The time the latest version was released for this package in the NPM Registry |
|
| npm_registry_weekly_downloads_count | Bigint |
The total number of downloads from the NPM Registry over the last 7 days |
|
| path | Text |
Path at which the module in the NPM package resides |
|
| summary | Text |
NPM package-supplied description |
|
| version | Text |
The text representation of the version |
|
| version_major | Bigint |
|
|
| version_minor | Bigint |
|
|
| version_patch | Bigint |
|
|
| version_subpatch | Bigint |
|
|
| version_pre | Text |
|
|
| version_build | Text |
|
|
| collected_at | Timestamp |
Time the row of data was first collected in the database |
|
| updated_at | Timestamp |
Time the row of data was last changed in the database |
|
What Can You Do With This Information?
Kolide enables you to write your own queries against the data the agent collects. This allows you to build your own reports and API endpoints. For example, you can:
SELECT
"device_npm_packages".name,
"device_npm_packages".homepage,
"device_npm_packages".license
FROM
"device_npm_packages"
WHERE
"device_npm_packages".license ILIKE '%GPL%';| name | license | homepage |
|---|---|---|
| node-forge | (BSD-3-Clause OR GPL-2.0) | https://github.com/digitalbazaar/forge |
SELECT
"device_npm_packages".name,
"device_npm_packages".version AS installed_version,
"device_npm_packages".npm_registry_latest_version AS latest_version,
"device_npm_packages".homepage
FROM
"device_npm_packages"
WHERE
"device_npm_packages".version != "device_npm_packages".npm_registry_latest_version;| name | homepage | latest_version | installed_version |
|---|---|---|---|
| npm | https://docs.npmjs.com/ | 8.13.1 | 8.5.5 |
SELECT
"device_npm_packages".name,
"device_npm_packages".version AS installed_version,
"device_npm_packages".npm_registry_weekly_downloads_count AS weekly_downloads,
"device_npm_packages".homepage
FROM
"device_npm_packages"
WHERE
"device_npm_packages".npm_registry_weekly_downloads_count < 1000;| name | homepage | weekly_downloads | installed_version |
|---|---|---|---|
| tldr | http://tldr-pages.github.io | 852 | 3.3.7 |
| speed-test | (NULL) | 396 | 3.0.0 |
Why Should I Collect NPM Packages?
Since Node.js is a widely used avenue for installing software, there is the potential for malicious actors to try and use it to distribute malware. The primary way this is accomplished is through a supply chain attack.
In this attack, a bad actor obtains control of a popular package, pushes a new version that contains a malicious payload, and then distributes it via official channels. In this scenario, package managers will automatically download and execute the payload which compromises the device. Cataloging installed NPM Packages allows security and IT practitioners to understand the scope of potential compromise in these attacks.
Given the wide range of possible software that can be installed via node.js via NPM, it is important to regularly audit the list of installed packages on a machine. Here are some other use-cases where this may be valuable:
- Discovering software dependencies that have undesirable licenses (like GPL)
- Identifying packages that are out of date and may contain vulnerabilities
- Reviewing installed packages to verify desired device configuration
- Locating abandoned packages with low global (real-world) usage
End-User Privacy Consideration
Kolide practices Honest Security. We believe that data should be collected from end-user devices transparently and with privacy in mind.
NPM package installations may reveal a partial list of the applications installed on your device. This could include software used for personal reasons.
When you use Kolide to list NPM Package data from end-user devices, Kolide gives the people using those devices insight into exactly what data is collected, the privacy implications, and who on the IT team can see the data. This all happens in our end-user privacy center which can be accessed directly by employees.
