Feb 16, 2023Ravie Lakshmanan
A popular npm package with more than 3.5 million weekly
downloads has been found vulnerable to an account takeover
attack.
“The package can be taken over by recovering an expired domain
name for one of its maintainers and resetting the password,”
software supply chain security company Illustria said[1]
in a report.
While npm’s security protections limit users to have only one
active email address per account, the Israeli firm said it was able
to reset the GitHub password using the recovered domain.
The attack, in a nutshell, grants a threat actor access to the
package’s associated GitHub account, effectively making it possible
to publish trojanized versions to the npm registry that can be
weaponized to conduct supply chain attacks at scale.
This is achieved by taking advantage of a GitHub Action that’s
configured in the repository to automatically publish the packages
when new code changes are pushed.
“Even though the maintainer’s npm user account is properly
configured with [two-factor authentication], this automation token
bypasses it,” Bogdan Kortnov, co-founder and CTO of Illustria,
said.
Illustria did not disclose the name of the module, but noted
that it reached out to its maintainer, who has since taken steps to
secure the account.
This is not the first time developer[2]
accounts[3]
have been found vulnerable to takeovers in recent years. In May
2022, a threat actor registered[4]
an expired domain used by the maintainer associated with the ctx
Python package to seize control of the account and distributed a
malicious version.
Found this article interesting? Follow us on Twitter [5]
and LinkedIn[6]
to read more exclusive content we post.
References
Read more https://thehackernews.com/2023/02/researchers-hijack-popular-npm-package.html