Security

GitHub addressed two major vulnerabilities in the NPM package manager

Maintainers of the npm package manager for the JavaScript programming language disclosed multiple flaws that were recently addressed.

GitHub disclosed two major vulnerabilities in the npm that have been already addressed.

The first vulnerability can be exploited by an attacker to publish new versions of any npm package using an account without proper authorization. The flaw was reported by Kajetan Grzybowski (DrBrix) and Maciej Piechota (haqpl) to GitHub through its bug bounty program on November 2.

“We determined that this vulnerability was due to inconsistent authorization checks and validation of data across several microservices that handle requests to the npm registry. In this architecture, the authorization service was properly validating user authorization to packages based on data passed in request URL paths. However, the service that performs underlying updates to the registry data determined which package to publish based on the contents of the uploaded package file. This discrepancy provided an avenue by which requests to publish new versions of a package would be authorized for one package but would actually be performed for a different, and potentially unauthorized, package.” wrote GitHub security chief Mike Hanley.

The company addressed the flaw in a few hours by ensuring consistency across both the publishing service and authorization service, in this way the same package is being used for both authorization and publishing.

GitHub is not able to determine if the flaw has ever been exploited in attacks.

“This vulnerability existed in the npm registry beyond the timeframe for which we have telemetry to determine whether it has ever been exploited maliciously. However, we can say with high confidence that this vulnerability has not been exploited maliciously during the timeframe for which we have available telemetry, which goes back to September 2020.” added Haley.

The second flaw was discovered by GitHub’s security team on October 26, and was caused by routine maintenance of one of the project’s publicly available npm services. 

The issue is a data leak on the npmjs’ replication server, which was caused by ‘routine maintenance.’ The leak exposed a list of names of private npm packages during the maintenance window. The content of the packages is not exposed in the same timeframe.

“First, on October 26 we identified an issue caused by routine maintenance of one of our publicly available npm services. During maintenance on the database that powers the public npm replica at replicate.npmjs.com, records were created that could expose the names of private packages,” added Hanley. “This briefly allowed consumers of replicate.npmjs.com to potentially identify the names of private packages due to records published in the public changes feed. No other information, including the content of these private packages, was accessible at any time. Package names in the format of @owner/package for private packages created prior to October 20 were exposed between October 21 13:12:10Z UTC and October 29 15:51:00Z UTC.”

The flaw was addressed on October 29, the company also deleted from the npm’s replication database all records containing private package names.

GitHub is working to improve the security of the npm registry, it plans to introduce two-factor authentication (2FA) authentication for maintainers and admins of popular packages on the repository, The new feature will be implemented starting with a list of top packages in the first quarter of 2022. 

“These investments include the requirement of two-factor authentication (2FA) during authentication for maintainers and admins of popular packages on npm, starting with a cohort of top packages in the first quarter of 2022. Read on to learn more.” Hanley concluded.

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″][adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, npm)

[adrotate banner=”5″]

[adrotate banner=”13″]

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.

Recent Posts

American fast-fashion firm Hot Topic hit by credential stuffing attacks

Hot Topic suffered credential stuffing attacks that exposed customers' personal information and partial payment data.…

3 hours ago

Cisco addressed high-severity flaws in IOS and IOS XE software

Cisco addressed multiple vulnerabilities in IOS and IOS XE software that can be exploited to…

17 hours ago

Google: China dominates government exploitation of zero-day vulnerabilities in 2023

Google's Threat Analysis Group (TAG) and Mandiant reported a surge in the number of actively…

24 hours ago

Google addressed 2 Chrome zero-days demonstrated at Pwn2Own 2024

Google addressed two zero-day vulnerabilities in the Chrome web browser that have been demonstrated during…

1 day ago

INC Ransom stole 3TB of data from the National Health Service (NHS) of Scotland

The INC Ransom extortion group hacked the National Health Service (NHS) of Scotland and is threatening…

2 days ago

CISA adds Microsoft SharePoint bug disclosed at Pwn2Own to its Known Exploited Vulnerabilities catalog

U.S. Cybersecurity and Infrastructure Security Agency (CISA) adds a Microsoft SharePoint vulnerability disclosed at the…

2 days ago

This website uses cookies.