A popular npm bundle with additional than 3.5 million weekly downloads has been uncovered vulnerable to an account takeover attack.
“The offer can be taken around by recovering an expired domain identify for just one of its maintainers and resetting the password,” software supply chain security business Illustria mentioned in a report.
Though npm’s security protections restrict people to have only a single lively email deal with for every account, the Israeli company stated it was able to reset the GitHub password using the recovered domain.
The attack, in a nutshell, grants a menace actor accessibility to the package’s connected GitHub account, correctly earning it achievable to publish trojanized versions to the npm registry that can be weaponized to carry out supply chain attacks at scale.
This is attained by getting gain of a GitHub Motion that is configured in the repository to automatically publish the packages when new code alterations are pushed.
“Even however the maintainer’s npm consumer account is correctly configured with [two-factor authentication], this automation token bypasses it,” Bogdan Kortnov, co-founder and CTO of Illustria, stated.
Illustria did not disclose the name of the module, but noted that it attained out to its maintainer, who has considering that taken methods to protected the account.
This is not the first time developer accounts have been uncovered vulnerable to takeovers in new years. In May possibly 2022, a danger actor registered an expired domain applied by the maintainer related with the ctx Python package deal to seize command of the account and dispersed a destructive variation.
Identified this post fascinating? Adhere to us on Twitter and LinkedIn to read through much more exceptional written content we post.
Some components of this report are sourced from: