Security News > 2022 > April > NPM flaw let attackers add anyone as maintainer to malicious packages
A 'logical flaw' in the npm registry enabled authors of malicious packages to quietly add anyone and any number of users as 'maintainers' to their packages in an attempt to boost the trust in their packages.
A security flaw in the npm registry, dubbed 'package planting' allowed threat actors to silently add any developer as 'maintainers' to their malicious packages.
"Up until recently, npm allowed adding anyone as a maintainer of the package without notifying these users or getting their consent," explains Yakir Kadkoda, a security researcher at Aqua's Team Nautilus.
To better demonstrate the concept, Kadkoda published a test package, 'fb npm package' to the registry, initially with his demo npm account being the only maintainer on the package.
Anyone visiting the npm page of 'fb npm package' would now perceive the package's ownership to exclusively include Facebook and npm, which is highly misleading.
Kadkoda did eventually take down his test package from npm and reported the flaw to npm.