Security News > 2021 > November > GitHub fixed serious npm registry vulnerability, will mandate 2FA use for certain accounts

GitHub fixed serious npm registry vulnerability, will mandate 2FA use for certain accounts
2021-11-17 12:32

GitHub has fixed a serious vulnerability that would have allowed attackers to publish new, malicious versions of any existing package on the npm registry.

"In this architecture, the authorization service was properly validating user authorization to packages based on data passed in request URL paths. However, the service that performs underlying updates to the registry data determined which package to publish based on the contents of the uploaded package file," GitHub's chief security officer Mike Hanley explained.

While the aforementioned avenue for attack is now closed, GitHub is working on blocking two routes often employed by attackers: account takeovers and the publication of malware through accounts established by the attackers themselves.

To prevent account takeovers, GitHub already offers the option of setting up two-factor authentication, but early next year, using 2FA will start becoming a requirement for maintainers and admins of popular packages on npm.

The announced change was surely influenced by the recent "Hijacking" of several popular npm packages - ua-parser-js, coa and rc - made possible by the lack of 2FA protection on the developers' accounts.

"Even though high-impact account takeovers are relatively infrequent, when compared to direct malware published from attackers using their own accounts, account takeovers can be wide reaching when targeted at maintainers of popular packages. While our detection and response time to popular package takeovers has been as low as 10 minutes in recent incidents, we continue to evolve our malware detection capabilities and notification strategies toward a more proactive response model," Hanley said.


News URL

https://www.helpnetsecurity.com/2021/11/17/npm-registry-vulnerability/

Related vendor

VENDOR LAST 12M #/PRODUCTS LOW MEDIUM HIGH CRITICAL TOTAL VULNS
Github 12 2 45 29 19 95