A popular npm package that is downloaded over 3.5 million times each week has been found vulnerable to an account takeover attack.
Illustria, a software supply chain security firm, said in a report that “the package can be taken over by restoring an expired domain name and resetting the password for one of its maintainers.”
Although npm security limits users to only have one active email address per account, the Israeli company claims it was able to reset their GitHub password using the restored domain. says.
Simply put, this attack grants the attacker access to the GitHub account associated with the package, effectively publishing a trojanized version to the npm registry to launch a supply chain attack at scale. so that it can be weaponized to run on
This is achieved by leveraging GitHub Actions configured on the repository to automatically publish packages when new code changes are pushed.
“Even if the maintainer’s npm user account is properly configured [two-factor authentication]this automation token bypasses that,” said Bogdan Kortnov, co-founder and CTO of Illustria.
Illustria did not disclose the name of the module, but noted that it contacted the maintainer who took steps to secure the account.
This isn’t the first time developer accounts have been found vulnerable to hijacking in recent years. In May 2022, attackers registered an expired domain used by the maintainer associated with the ctx Python package to take control of the account and distribute a malicious version.
