Security News > 2021 > November > NPM fixes private package names leak, serious authorization bug
The first flaw concerns leak of names of private npm packages on the npmjs.com's 'replica' server-feeds from which are consumed by third-party services.
' The leak exposed a list of names of private npm packages, but not the content of these packages during the maintenance window.
Note, while the content of the private packages was not exposed, knowledge of the private package names is enough for threat actors to conduct targeted dependency confusion and typosquatting attacks in an automated fashion, as we have seen time and time again.
The data leak was identified by GitHub on October 26th and by the 29th, all records containing private package names were deleted from the npm's replication database.
GitHub disclosed a serious bug that could "Allow an attacker to publish new versions of any npm package using an account without proper authorization."
"This discrepancy provided an avenue by which requests to publish new versions of a package would be authorized for one package but would actually be performed for a different, and potentially unauthorized, package. We mitigated this issue by ensuring consistency across both the publishing service and authorization service to ensure that the same package is being used for both authorization and publishing."