Security News > 2022 > April > NPM Bug Allowed Attackers to Distribute Malware as Legitimate Packages

A "Logical flaw" has been disclosed in NPM, the default package manager for the Node.js JavaScript runtime environment, that enables malicious actors to pass off rogue libraries as legitimate and trick unsuspecting developers into installing them.

"Up until recently, NPM allowed adding anyone as a maintainer of the package without notifying these users or getting their consent," Aqua's Yakir Kadkoda said in a report published Tuesday.

Not only does it give a false sense of trust among developers, it could also inflict reputational damage to legitimate package maintainers.

The disclosure comes as Aqua uncovered two more flaws in the NPM platform related to two-factor authentication that could be abused to facilitate account takeover attacks and publish malicious packages.

"The main problem is that any npm user can perform this and add other NPM users as maintainers of their own package," Kadkoda said.

"Eventually, developers are responsible for what open source packages they use when building applications."

News URL

https://thehackernews.com/2022/04/npm-bug-allowed-attackers-to-distribute.html