NPMs (originally short for Node Package Manager) are a very popular package manager for the JavaScript programming language. Maintainers of these open source NPM’s typically register using an email address, and security consultant Lance Vick recently made a point to demonstrate security flaws with this system in the NPM Registry.
What was demonstrated reveals that, essentially, the domain for these maintainer email addresses can expire, then be purchased by a threat actor, who can then recreate that maintainer email address and take over control of the NPMs managed by that account. In his example, Vick registered an expired domain and took over an email address linked to an NPM library that is downloaded roughly 6,000,000 times per week. In the hands of an attacker, similar control would allow them to modify these libraries with malicious content and infect millions of users without any change to victims’ behavior.
In response to these findings, GitHub has launched a beta test of its improved MFA implementation for all NPM maintainer accounts. It includes support for multiple second factors, a new MFA configuration for managing keys and recovery codes, full CLI support, and the ability to review and regenerate recovery codes. GitHub also said that on May 31, 2022, the maintainers of the top 500 NPM packages will be automatically enrolled in MFA. Then, later this year, maintainers with packages that are downloaded more than one million times per week (or that have more than 500 dependents) will also be required to adopt MFA.
For the full report on these findings, visit: https://www.theregister.com/2022/05/10/security_npm_email/
