A popular npm bundle with additional than 3.5 million weekly downloads has been uncovered vulnerable to an account takeover attack.
“The offer can be taken around by recovering an expired domain identify for just one of its maintainers and resetting the password,” software supply chain security business Illustria mentioned in a report.
Though npm’s security protections restrict people to have only a single lively email deal with for every account, the Israeli company stated it was able to reset the GitHub password using the recovered domain.

Protect and backup your data using AOMEI Backupper. AOMEI Backupper takes secure and encrypted backups from your Windows, hard drives or partitions. With AOMEI Backupper you will never be worried about loosing your data anymore.
Get AOMEI Backupper with 72% discount from an authorized distrinutor of AOMEI: SerialCart® (Limited Offer).
➤ Activate Your Coupon Code
The attack, in a nutshell, grants a menace actor accessibility to the package’s connected GitHub account, correctly earning it achievable to publish trojanized versions to the npm registry that can be weaponized to carry out supply chain attacks at scale.
This is attained by getting gain of a GitHub Motion that is configured in the repository to automatically publish the packages when new code alterations are pushed.
“Even however the maintainer’s npm consumer account is correctly configured with [two-factor authentication], this automation token bypasses it,” Bogdan Kortnov, co-founder and CTO of Illustria, stated.
Illustria did not disclose the name of the module, but noted that it attained out to its maintainer, who has considering that taken methods to protected the account.
This is not the first time developer accounts have been uncovered vulnerable to takeovers in new years. In May possibly 2022, a danger actor registered an expired domain applied by the maintainer related with the ctx Python package deal to seize command of the account and dispersed a destructive variation.
Identified this post fascinating? Adhere to us on Twitter and LinkedIn to read through much more exceptional written content we post.
Some components of this report are sourced from:
thehackernews.com