NPM continues with security problems and now one affected the update system

Some days ago GitHub revealed two incidents in the NPM package repository infrastructure, of which it details that on November 2, third-party security researchers as part of the Bug Bounty program found a vulnerability in the NPM repository which allows to publish a new version of any package using even though it is not authorized to perform such updates.

The vulnerability was caused by incorrect authorization checks in the microservices code that process requests to NPM. The authorization service performed a permission check on the packages based on the data passed in the request, but another service that was uploading the update to the repository determined the package to publish based on the metadata content in the uploaded package.

Thus, an attacker could request the publication of an update for his package, to which he has access, but indicate in the package itself information about another package, which would eventually be updated.

For the past few months, the npm team has been investing in infrastructure and security improvements to automate the monitoring and analysis of recently released package versions to identify malware and other malicious code in real time.

There are two main categories of malware posting events that occur in the npm ecosystem: malware that is posted due to account hijacking, and malware that attackers post through their own accounts. Although high-impact account acquisitions are relatively rare, compared to direct malware posted by attackers using their own accounts, account acquisitions can be far reaching when targeting popular package maintainers. While our detection and response time to acquisitions of popular packages has been as low as 10 minutes in recent incidents, we continue to evolve our malware detection capabilities and notification strategies towards a more proactive response model.

The problem it was fixed 6 hours after the vulnerability was reported, but the vulnerability was present in NPM longer than what telemetry logs cover. GitHub states that there have been no traces of attacks using this vulnerability since September 2020, but there is no guarantee that the problem has not been exploited before.

The second incident took place on October 26. In the course of technical work with the replicant.npmjs.com service database, it was revealed that there was confidential data in the database available for external consultation, revealing information about the names of the internal packages that were mentioned in the changelog.

Information on those names can be used to carry out dependency attacks on internal projects (In February, such an attack allowed code to run on the servers of PayPal, Microsoft, Apple, Netflix, Uber, and 30 other companies.)

In addition, in relation to the increasing incidence of seizure of repositories of large projects and the promotion of malicious code through compromise of developer accounts, GitHub decided to introduce mandatory two-factor authentication. The change will take effect in the first quarter of 2022 and will apply to the maintainers and administrators of the packages included in the list of the most popular. Additionally, it reports on the modernization of the infrastructure, which will introduce the automated monitoring and analysis of new versions of packages for the early detection of malicious changes.

Recall that according to a study conducted in 2020, only 9.27% ​​of package managers use two-factor authentication to protect access, and in 13.37% of cases, when registering new accounts, developers tried to reuse compromised passwords that appear in known passwords.

During the check of the strength of the passwords used, 12% of the accounts in NPM (13% of the packages) were accessed due to the use of predictable and trivial passwords such as "123456". Among the problems were 4 user accounts of the 20 most popular packages, 13 accounts whose packages were downloaded more than 50 million times per month, 40 - more than 10 million downloads per month and 282 with more than 1 million downloads a month. Considering the module load along the chain of dependencies, compromising untrusted accounts could affect up to 52% of all modules in NPM in total.

Finally, if you are interested in knowing more about it you can check the details In the following link.


Be the first to comment

Leave a Comment

Your email address will not be published. Required fields are marked with *

*

*

  1. Responsible for the data: AB Internet Networks 2008 SL
  2. Purpose of the data: Control SPAM, comment management.
  3. Legitimation: Your consent
  4. Communication of the data: The data will not be communicated to third parties except by legal obligation.
  5. Data storage: Database hosted by Occentus Networks (EU)
  6. Rights: At any time you can limit, recover and delete your information.