Dark Web Informer is reporting a threat actor is selling a critical, unverified npmjs vulnerability that would allegedly allow for account takeover. BreachForums member Alderson1337 claims to have found a vulnerability that would enable the following:
- Targeting npm accounts of specific organization employees to inject undetectable backdoors into the packages they use. Once these packages are updated, all organization devices could be compromised.
- Targeting npm accounts of developers whose packages are widely used, allowing for the injection of backdoors. Updates to these packages could potentially compromise all devices utilizing them.
- Accessing to private organization packages for negotiation purposes—either for ransom or public disclosure.
The threat actor did not publish a POC in order “to protect the integrity of the exploit.”
npm has not confirmed the existence of such a vulnerability or any reports that the registry can be compromised in this manner. BreachForums, which is now exclusively accessible on the dark web, is a known forum for cybercriminal activities and a marketplace for stolen data. Any claims originating from this source should be treated with a healthy amount of skepticism, due to the possibility of scams.
npm Registry Remains a Prime Target for Attacks#
The npm Registry’s large attack surface provides numerous opportunities for malicious actors to exploit vulnerabilities, whether through direct attacks on the accounts of npm package maintainers or by introducing malicious code into packages. It’s the gateway to the wide world of applications that depend on open source JavaScript, attracting threat actors who relentlessly target npmjs accounts for distributing malicious code.
If you think you’re safe from supply chain attacks because you regularly review and thoroughly vet your dependencies, you need to account for the possibility of attackers compromising legitimate accounts. In 2021, researchers explored various weak links in the software supply chain, including maintainer accounts associated with an expired email domain and inactive packages with inactive maintainers. At that time, they found 2,818 maintainer email addresses associated with expired domains, allowing an attacker to hijack 8,494 packages by taking over the npm accounts.
Researchers at illustria also demonstrated this account takeover vulnerability in 2022 by recovering an expired domain name to take over a package with nearly four million weekly downloads.
There are now legitimate tools like hijagger, which check package registries for hijackable packages, that threat actors can use to facilitate account takeover:
This tool checks every maintainer from every package in the NPM and Python Pypi registry for unregistered domains or unregistered MX records on those domains. If a domain is unregistered you can grab the domain and initiate a password reset on the account if it has no 2 factor auth enabled. This enables you to hijack a package and do whatever you want with it.
Hijagger was created by security researcher Christian Mehlmauer, who advised that it should only be used for submitting packages to bug bounty programs. In the README file he said he contacted the npm security team about this but they were not interested in this kind of vulnerability. The maintainers returned from the API also do not always reflect the real maintainers but he said “often you can get lucky.”
Alongside account takeover are other threats where hackers use brand impersonation to deceive developers. Last week, a threat actor was found to be selling 250+ “reserved npm packages” on Telegram, having claimed package names that are virtually indistinguishable from packages published by high profile companies.
GitHub recognizes the potential for vulnerabilities in its infrastructure. This is why the company’s bug bounty program covers a number of related npm Registry focus areas that are applicable in this instance:
- Vulnerabilities that lead to account takeover
- Novel supply chain vulnerabilities
- Gaining access to private packages that should be inaccessible
- Disclosing the existence of private packages that should be inaccessible, e.g., through error messages (but not through timing attacks, which are ineligible, as described below)
How to Secure Your npm Account#
npm has been working for the past few years to make publishing more secure for the 17+ million developers who use the registry. In 2022, npm enrolled maintainers of “high-impact packages” in mandatory 2FA. High impact is defined as packages with more than 1 million weekly downloads or 500 dependents.
That same year, GitHub also launched a public beta for an improved 2FA experience for all npm accounts, including support for registering multiple second factors, such as security keys, biometric devices, and authentication applications.
Any package author can enable 2FA to make their account more difficult to compromise, and organizations can also enforce 2FA. For those who don’t opt into 2FA, npm does an enhanced login verification with a one-time password sent via email.
Because of previous attempts where attackers have attempted to register the expired domains of package maintainers, npm also conducts period checks for email accounts associated with expired domains or invalid MX records:
When the domain has expired, we disable the account from doing a password reset and require the user to undergo account recovery or go through a successful authentication flow before they can reset their password.
Package authors and organizations using npm should monitor their accounts for unusual activity, maintain the registration of the domains associated with their email addresses, and use strong, unique passwords.
The current threat from the BreachForums user attempts to entice a buyer with the ability to “inject undetectable backdoors.” This is a tall order and a dubious claim. It presumes that most organizations are not going to fully review the code of their dependencies. While this is a common oversight, it’s unlikely that these backdoors would make it past AI-powered threat detection.
If a package get compromised, Socket has you covered, because we analyze the actual code of the package and will flag anything suspicious that a threat actor has added after taking over an npm or PyPI account. Install the free Socket for GitHub app to secure your dependencies from these types of threats. It detects supply chain security risks before they land in your codebase by analyzing new or updated dependencies in PRs for malicious behavior.