Security News > 2023 > February > Researchers Hijack Popular NPM Package with Millions of Downloads

A popular npm package with more than 3.5 million weekly downloads has been found vulnerable to an account takeover attack.

"The package can be taken over by recovering an expired domain name for one of its maintainers and resetting the password," software supply chain security company Illustria said in a report.

While npm's security protections limit users to have only one active email address per account, the Israeli firm said it was able to reset the GitHub password using the recovered domain.

The attack, in a nutshell, grants a threat actor access to the package's associated GitHub account, effectively making it possible to publish trojanized versions to the npm registry that can be weaponized to conduct supply chain attacks at scale.

"Even though the maintainer's npm user account is properly configured with , this automation token bypasses it," Bogdan Kortnov, co-founder and CTO of Illustria, said.

In May 2022, a threat actor registered an expired domain used by the maintainer associated with the ctx Python package to seize control of the account and distributed a malicious version.

News URL

https://thehackernews.com/2023/02/researchers-hijack-popular-npm-package.html