The GitHub specialists talked about two serious vulnerabilities in npm (Node Package Manager), identified in the JavaScript package manager in October-November of this year.
The first and most serious error, which cybersecurity researchers reported to developers via the bug bounty GitHub program in early November, allows an attacker to publish a new version of any npm package using an account without correct authorization.The vulnerability stemmed from inconsistency in authorization and data checks between several microservices that process requests to npm.
The developers write that there is no evidence of exploitation of this bug. But at the same time, experts admit that the vulnerability existed in npm “over a time interval”, for which they have telemetry, “which allows determining whether this vulnerability has ever been abused.”
The second vulnerability was related to a leak of the names of private npm packages (but not their contents), which occurred through the npmjs.com replication server, from which third-party services receive these data. The leak affected private npm libraries that look like “@ owner / package” and were built before October 20th. The names of these libraries were available to outsiders between October 21 and October 29. The leak has now been fixed and the data has been deleted.
The problem is that even a simple knowledge of the names of private packages is quite enough to carry out targeted and automated attacks such as dependency confusion and typosquatting. Experts admit that replicate.npmjs.com is being used by third parties, which means they can still keep copies of the leak or “replicate data elsewhere.”
Let me remind you that we also reported that Another npm package was stealing information from browsers and Discord.