https://github.com/6mile/panda-mirror

Identify what Chinese NPM mirrors are caching malicious packages
https://github.com/6mile/panda-mirror

Last synced: 3 months ago
JSON representation

Identify what Chinese NPM mirrors are caching malicious packages

• Host: GitHub
• URL: https://github.com/6mile/panda-mirror
• Owner: 6mile
• Created: 2025-09-20T05:49:14.000Z (4 months ago)
• Default Branch: main
• Last Pushed: 2025-09-20T05:55:33.000Z (4 months ago)
• Last Synced: 2025-09-20T07:22:36.369Z (4 months ago)
• Language: Python
• Size: 2.93 KB
• Stars: 0
• Watchers: 0
• Forks: 0
• Open Issues: 0
• Metadata Files:
  • Readme: README.md

Awesome Lists containing this project

README

          


# Panda Mirror: How the Chinese CCP Manipulates NPM

This presentation, "Panda Mirror - Canberra BSides," by Paul McCarty, delves into the manipulation of the NPM (Node Package Manager) ecosystem by the Chinese Communist Party (CCP).

## Key Takeaways:

  * **NPM's Scale and Insecurity:** NPM is the world's largest software registry, with millions of packages and thousands of daily updates, yet it was built "before security" and is highly vulnerable to malicious packages.

  * **Global Mirrors and Chinese Anomalies:** There are eight global NPM mirrors. While most mirrors respect package deletion events from the root registry, several Chinese mirrors (r.cnpmjs.org, registry.npmmirror.com, repo.huaweicloud.com, mirrors.cloud.tencent.com, registry.npm.taobao.org) have been modified to store deleted malicious packages.

  * **CCP's Focus on Source Code Weaponization:** The CCP, through regulations like the "Regulations on the Management of Network Product Security Vulnerabilities" (RMSV), is actively focusing on weaponizing software vulnerabilities and has access to internal code repositories. The Chinese NVDB (National Vulnerability Database) does not publish vulnerabilities but shares them with ministry departments for offensive work.

  * **Exploiting the Mirror Discrepancy:** The speaker used the "bug" in the Chinese mirrors (their failure to respect deletion events) to collect NPM malware samples for over a year.

  * **Impact and Solutions:** This intelligence was used to analyze malware, build rules for detection, and created a CTI (Cyber Threat Intelligence) portal to track threat actors. The presentation highlights the critical need to integrate software supply chain intelligence into enterprise CTI.

This research underscores the significant threat posed by nation-state actors manipulating critical software infrastructure and the importance of understanding and mitigating these risks.