GitHub has disclosed two incidents in the NPM package repository infrastructure. On November 2, third-party security researchers ( Kajetan Grzybowski and Maciej Piechota ) as part of the Bug Bounty program announced a vulnerability in the NPM repository that allows you to publish a new version of any package using your account, which is not authorized to perform such updates.
The vulnerability was caused by incorrect authorization checks in the code of microservices that process requests to NPM. The authorization service performed a permissions check on the packages based on the data passed in the request, but another service uploading the update to the repository determined the package to publish based on the metadata content in the uploaded package. Thus, an attacker could request the publication of an update for his package, to which he has access, but indicate in the package itself information about another package, which would eventually be updated.
The issue was fixed 6 hours after the vulnerability was reported, but the vulnerability was present in NPM longer than telemetry logs cover. GitHub claims that no traces of attacks using this vulnerability have been recorded since September 2020, but there is no guarantee that the problem has not been exploited before.
The second incident took place on October 26th. In the course of technical work with the replicate.npmjs.com service database, it was revealed that there was confidential data in the database available for external queries, revealing information about the names of internal packages that were mentioned in the change log. Information about such names can be used to carry out attacks on dependencies in internal projects (in February, such an attack allowed code to be executed on the servers of PayPal, Microsoft, Apple, Netflix, Uber and 30 other companies).
In addition, in connection with the increased incidence of seizure of repositories of large projects and the promotion of malicious code through the compromise of developer accounts, GitHub decided to introduce mandatory two-factor authentication. The change will take effect in the first quarter of 2022 and will apply to the maintainers and administrators of packages included in the list of the most popular. In addition, it is reported about the modernization of the infrastructure, in which automated monitoring and analysis of new versions of packages will be introduced for early detection of malicious changes.
Recall that according to a study conducted in 2020, only 9.27% of package managers use two-factor authentication to protect access, and in 13.37% of cases, when registering new accounts, developers tried to reuse compromised passwords that appear in known password leaks. During the check the strength of the passwords used managed to get access to 12% of accounts in NPM (13% of packages) due to the use of predictable and trivial passwords such as “123456”. Among the problematic ones were 4 user accounts from the Top20 most popular packages, 13 accounts whose packages were downloaded more than 50 million times a month, 40 – more than 10 million downloads a month and 282 with more than 1 million downloads a month. Taking into account the loading of modules along the chain of dependencies, compromising untrusted accounts could hit up to 52% of all modules in NPM in total.