Chief security officer Mike Hanley posted yesterday about the issue, which was reported by security researchers Kajetan Grzybowski and Maciej Piechota on 2 November and patched within six hours. That impressive speed contrasts with the length of time the vulnerability existed, said to be longer than "the timeframe for which we have available telemetry, which goes back to September 2020."
The vulnerability was based on a familiar insecurity pattern, where the system correctly authenticates a user but then allows access beyond what that user's permissions should enable. In this case, the NPM service correctly validated that a user was authorised to update a package, but "the service that performs underlying updates to the registry data determined which package to publish based on the contents of the uploaded package file.
"This discrepancy provided an avenue by which requests to publish new versions of a package would be authorized for one package but would actually be performed for a different, and potentially unauthorized, package."
Hanley also revealed that the names of some privately published packages, which should not be listed on the public registry, were inadvertently exposed via a public NPM replica, for about a week. The content of the packages were not accessible, though, and this was fixed on 29 October.
- NPM packages disguised as Roblox API code caught carrying ransomware
- If you're using this hijacked NPM library anywhere in your software stack, read this
- GitHub's npm gave away a package name while it was in use, causing rethink
GitHub is planning to tighten the security of the NPM registry by requiring two-factor authentication (2FA) for maintainers and admins of the most popular packages, starting in the first quarter of 2022. 2FA is already possible but not required. The 2FA technology used will be WebAuthn. Details of how this will work will be published "in the coming weeks," Hanley said.
The goal is to prevent account takeovers, such as last month's incident involving ua-parser-js. At the time GitHub warned: "Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer."
The NPM community has also discussed strengthening security via code signing. It is already possible to verify the PGP (Pretty Good Privacy) signature of an NPM package but this only guarantees that the package downloaded matches what was published, and would not help in the case where a package is published but without proper authorisation. ®