Security News > 2022 > May > How to find NPM dependencies vulnerable to account hijacking

Following the recent disclosure of a technique for hijacking certain NPM packages, security engineer Danish Tariq has proposed a defensive strategy for those looking to assess whether their web apps include dependencies tied to subvertable email domains.

Taking over an NPM package tied to that domain then becomes a matter of resetting the password of the NPM account associated with the commandeered email address - the password reset message goes to the new account holder.

With any luck it's smaller than last December, when security researchers scanned NPM and found 2,818 maintainer email addresses associated with expired domains, through which they had the opportunity to hijack 8,494 packages via account takeovers.

Subverted NPM packages represent a potentially serious security threat, particularly if the compromised packages have become dependencies in widely distributed apps or libraries.

NPM is aware of the account takeover attack, among others, and is in the process of forcing NPM account holders to activate two-factor authentication, which can help avoid account-related mischief.

To help make this happen, NPM has subjected this group to "Enhanced login verification," which involves receiving an emailed one-time code on login to confirm account control.

News URL

https://go.theregister.com/feed/www.theregister.com/2022/05/23/npm_dependencies_vulnerable/