GitHub has disclosed two incidents in the NPM package repository infrastructure. On November 2, third-party security researchers (Kajetan Grzybowski and Maciej Piechota) as part of the Bug Bounty program reported a vulnerability in the NPM repository that allows you to publish a new version of any package using your own account that is not authorized to perform such updates.
The vulnerability was caused by incorrect permissions checking in the code of microservices that process requests to NPM. The authorization service performed the package permission checks based on the data passed in the request, but the other service that uploaded the update to the repository determined the package to publish based on the metadata content in the uploaded package. Thus, an attacker could request the publication of an update for his package, to which he has access, but specify in the package itself information about another package, which would eventually be updated.
The issue was fixed 6 hours after the vulnerability was reported, but the vulnerability has been present in NPM for longer than the telemetry logs cover. GitHub claims that there are no traces of attacks using this vulnerability since September 2020, but there is no guarantee that the problem has not been exploited before.
The second incident took place on 26 October. In the course of technical work with the database of this replicate.npmjs.com service, the presence in the database accessible for external queries of confidential data was revealed, revealing information about the names of internal packages that were mentioned in the change log. Information about such names can be used to launch dependency attacks in internal projects (in February, such an attack allowed code to be executed on the servers of PayPal, Microsoft, Apple, Netflix, Uber, and 30 other companies).
In addition, due to the increasing cases of the capture of repositories of large projects and the promotion of malicious code through compromising developer accounts, GitHub decided to introduce mandatory two-factor authentication. The change will take effect in the first quarter of 2022 and will apply to maintainers and administrators of packages included in the list of the most popular. Additionally, it is reported about the modernization of the infrastructure, which will introduce automated monitoring and analysis of new versions of packages for early detection of malicious changes.
Recall that, according to a study conducted in 2020, only 9.27% ββof package maintainers use two-factor authentication to protect access, and in 13.37% of cases, when registering new accounts, developers tried to reuse compromised passwords that appear in known password leaks. The strength of the passwords used was able to access 12% of NPM accounts (13% of packages) due to the use of predictable and trivial passwords such as "123456". Among the problematic were 4 user accounts from the Top 20 most popular packages, 13 accounts whose packages were downloaded more than 50 million times a month, 40 - more than 10 million downloads per month and 282 with more than 1 million downloads per month. Given the loading of modules along the dependency chain, the compromise of untrusted accounts could hit up to 52% of all modules in NPM in total.
Source: opennet.ru