Email domain for NPM lib with 6m downloads a week grabbed by expert to make a point

2022-05-10 22:36

Security consultant Lance Vick recently acquired the expired domain used by the maintainer of a widely used NPM package to remind the JavaScript community that the NPM Registry still hasn't implemented adequate security.

Vick acquired the lapsed domain that had been used by the maintainer to create an NPM account and is associated with the "Foreach" package on NPM. But he said he didn't follow through with resetting the password on the email account tied to the "Foreach" package, which is fetched nearly six million times a week.

"In an email to The Register, Vick explained,"As an NPM team member pointed out, the emails associated with NPM accounts and the emails used on the package themselves can sometimes be different, but even if this is the case controlling an owner account would make an easy social engineering case to customer support.

"Regardless of how much control I have over this particular package, which is unclear, NPM admits this particular expired domain problem is a known issue, citing this 2021 which says, 'We also found 2,818 maintainer email addresses associated with expired domains, allowing an attacker to hijack 8,494 packages by taking over the NPM accounts.'".

Vick on January 11, 2020, pushed a commit to the README file of the NPM command line interface under the name "Adam Baldwin," who was at the time the VP of security at NPM. He did so to demonstrate a bug in GitHub's interface that would forge a signature when merging code and to call attention to longstanding security holes in npm.

Vick went so far as to set up, with the help of John Naulty Jr, "a spreadsheet of NPM package maintainers with terrible security practices." The spreadsheet was featured in a blog post about NPM security by Vick and Naulty that went up the same day as the rogue commit.

News URL

https://go.theregister.com/feed/www.theregister.com/2022/05/10/security_npm_email/

#email #NPM