Share news article

Share on facebook
Share on twitter
Share on linkedin
Share on email

Researchers Hijack Popular NPM Package with Millions of Downloads

Feb 16, 2023Ravie LakshmananSupply Chain / Software Security

A popular npm package with more than 3.5 million weekly downloads has been found vulnerable to an account takeover attack.

“The package can be taken over by recovering an expired domain name for one of its maintainers and resetting the password,” software supply chain security company Illustria said in a report.

While npm’s security protections limit users to have only one active email address per account, the Israeli firm said it was able to reset the GitHub password using the recovered domain.

The attack, in a nutshell, grants a threat actor access to the package’s associated GitHub account, effectively making it possible to publish trojanized versions to the npm registry that can be weaponized to conduct supply chain attacks at scale.

This is achieved by taking advantage of a GitHub Action that’s configured in the repository to automatically publish the packages when new code changes are pushed.

“Even though the maintainer’s npm user account is properly configured with [two-factor authentication], this automation token bypasses it,” Bogdan Kortnov, co-founder and CTO of Illustria, said.

Illustria did not disclose the name of the module, but noted that it reached out to its maintainer, who has since taken steps to secure the account.

This is not the first time developer accounts have been found vulnerable to takeovers in recent years. In May 2022, a threat actor registered an expired domain used by the maintainer associated with the ctx Python package to seize control of the account and distribute a malicious version.

Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.

Related News

New Backdoor Attack Uses Russian-Ukrainian Conflict Phishing Emails

New Backdoor Attack Uses Russian-Ukrainian Conflict Phishing Emails

The primary targets of this phishing campaign are located in the Ukrainian regions of Crimea, Donetsk, and Lugansk, which were…
CyberSecure Announces Strategic Alliance

CyberSecure Announces Strategic Alliance

BETHESDA, Md., March 24, 2023 /PRNewswire/ — Cybersecure IPS and LockDown Inc. jointly announce that they have entered a strategic alliance to…
Tesla Model 3 Hacked in Less Than 2 Minutes at Pwn2Own Contest

Tesla Model 3 Hacked in Less Than 2 Minutes at Pwn2Own Contest

Researchers from France-based pen-testing firm Synacktiv demonstrated two separate exploits against the Tesla Model 3 this week at the Pwn2Own…