Protecting Your Software Supply Chain: Popular NPM Package Vulnerable to Account Takeover Attack
In today's digital landscape, software supply chain security is of paramount importance. With millions of software packages downloaded each week, developers and enterprises alike must take measures to secure their software supply chain. Unfortunately, even the most popular and widely-used packages are not immune to vulnerabilities that can be exploited by attackers.
Recently, a popular npm package with over 3.5 million weekly downloads was found to be vulnerable to an account takeover attack. The attack, discovered by software supply chain security company Illustria, allows attackers to gain access to the associated GitHub account and publish trojanized versions of the package to the npm registry, potentially weaponizing it to conduct supply chain attacks at scale.
The vulnerability occurs when an expired domain name is recovered for one of the package maintainers, allowing the attacker to reset the password and gain access to the associated GitHub account. While npm's security protections limit users to one active email address per account, Illustria was able to reset the GitHub password using the recovered domain.
The attacker can then take advantage of a GitHub Action configured in the repository to automatically publish packages when new code changes are pushed. Even if the maintainer's npm user account is properly configured with two-factor authentication, this automation token bypasses it, as noted by Bogdan Kortnov, co-founder and CTO of Illustria.
Developers and enterprises must take steps to secure their software supply chain. While Illustria did not disclose the name of the vulnerable package, it is essential to identify and address vulnerabilities as quickly as possible. Developers should ensure that all accounts associated with their software packages are properly secured, including using strong and unique passwords and enabling two-factor authentication. Additionally, maintaining up-to-date information on domain names and email addresses associated with the accounts is crucial to preventing an attack like this.
The recent account takeover attack on a popular npm package highlights the importance of securing the software supply chain. As software development continues to grow and evolve, developers and enterprises need to stay vigilant and take measures to protect their packages and users from potential vulnerabilities and attacks.
Thank you for reading our blog today. We hope you found the information helpful and informative. If you enjoyed this blog, be sure to follow us on Twitter, Instagram, Linkedin, GitHub, Website, and Youtube for more exciting content and updates. If you have any questions or comments, please feel free to reach out to us. We would love to hear from you. Don't forget to share this with your friends and family who may also find this information useful. Thank you for your support and stay tuned for more!