A preferred npm bundle that’s downloaded over 3.5 million instances every week has been discovered susceptible to an account takeover assault.
Illustria, a software program provide chain safety agency, mentioned in a report that “the bundle could be taken over by restoring the expired area title and resetting the password for one among its maintainers.”
Though npm safety limits customers to solely have one energetic e-mail tackle per account, the Israeli firm claims it was in a position to reset their GitHub password utilizing the restored area. says.
Merely put, this assault grants the attacker entry to the GitHub account related to the bundle, successfully publishing a trojanized model to the npm registry to launch a provide chain assault at scale. in order that it may be weaponized to run on
That is achieved by leveraging GitHub Actions configured on the repository to routinely publish packages when new code adjustments are pushed.
Bogdan Kortnov, co-founder and CTO of Illustria, mentioned:
Illustria didn’t disclose the title of the module, however famous that it contacted the maintainer who took steps to safe the account.
This is not the primary time developer accounts have been discovered susceptible to hijacking in recent times. In Might 2022, attackers registered an expired area utilized by the maintainer related to the ctx Python bundle to take management of the account and distribute a malicious model.