Over the last two weeks, npm has seen a number of novel malware attacks. If you’re a Repository Firewall customer, you can protect your software supply chain from these threats. The following instructions assume that you own Repository Firewall but aren’t currently using Repository Firewall to block incoming threats.
For more instructions on finding, removing, and protecting yourself this new malware, see our new documentation page about the issue.
Prerequisites
Ensure Sonatype IQ Server is installed and licensed for Repository Firewall.
Connect Nexus Repository Manager to IQ Server.
Confirm the Firewall feature is enabled on the target artifact manager.
Enable Firewall Audit and Quarantine in Nexus Repository Manager
In Nexus Repository Manager, go to Settings → System → Capabilities.
Add a new capability: Firewall: Audit and Quarantine.
Select the target proxy repository.
Check Enable Quarantine for Repository and save.
- Note: Quarantine must be enabled to block critical threats. Disabling quarantine releases all previously quarantined components, and they will not be re-quarantined unless newly requested.
Verify Required Policies in IQ Server
Verify the Security-Malicious policy. Make sure the details match the below exactly.
- Name: Security-Malicious
- Threat Level: 10 (Critical)
- Inheritance: All Applications and Repositories
- Constraint: “Security Vulnerability Category is Malicious Code”
- Actions: Set to Fail at the Proxy stage and all other states.
- Notifications: As desired (recommend including Proxy stage)
Reference: Security Policies
Verify the Integrity-Rating policy.
- Purpose: Protects against releases flagged by Sonatype’s ML/AI or under review.
- Configuration:
- Name: Integrity-Rating
- Threat Level: 9 (Critical)
- Inheritance: All Applications and Repositories
- Constraints:
- “Pending integrity rating” → Integrity Rating is Pending
- “Suspicious integrity rating” → Integrity Rating is Suspicious
- Actions: Set to Fail at the Proxy stage
- Notifications: As desired (recommend including Proxy stage)
Reference: Release Integrity
Validate Policy Application
In Nexus Repository, verify that each npm proxy repository has the “Firewall: Audit and Quarantine” capability enabled with the “Quarantine” option checked.
OR
In Repository Firewall, go to the “Repository Managers” view, sort by Format, and verify that each npm proxy repository has “Audit, Quarantine” in the Enablement column.
Understand Scope: New Versus Existing Components
Repository Firewall only quarantines newly requested components. Components already in proxy repositories will be audited, but not quarantined. Use the Automatic Malware Management task to remove malware that’s already in your proxy repositories.
Best Practices
Enable Policy Compliant Component Selection and Automatic Quarantine Release to minimize development friction.
Notify development teams about the change in enforcement, and make a plan for managing quarantined components and automatic releases.
Schedule a meeting with your Customer Success rep to check your configuration for maximum effectiveness.