searchtwitterarrow rightmail strokearrow leftmail solidfacebooklinkedinplusangle upmagazine plus
Help Net Security - Daily information security news with a focus on enterprise security.
Help Net Security - Daily information security news with a focus on enterprise security.
  • News
  • Features
  • Expert analysis
  • Videos
  • Reviews
  • Events
  • Whitepapers
  • Industry news
  • Product showcase
  • Newsletters
Zeljka Zorz
Zeljka Zorz, Editor-in-Chief, Help Net Security
November 17, 2021
Share

GitHub fixed serious npm registry vulnerability, will mandate 2FA use for certain accounts

GitHub has fixed a serious vulnerability that would have allowed attackers to publish new, malicious versions of any existing package on the npm registry.

npm registry vulnerability

About the fixed vulnerability

The vulnerability, flagged by security researchers Kajetan Grzybowski and Maciej Piechota, existed because several microservices that handle requests to the npm registry performed inconsistent authorization checks and validation of data.

“In this architecture, the authorization service was properly validating user authorization to packages based on data passed in request URL paths. However, the service that performs underlying updates to the registry data determined which package to publish based on the contents of the uploaded package file,” GitHub’s chief security officer Mike Hanley explained.

“This discrepancy provided an avenue by which requests to publish new versions of a package would be authorized for one package but would actually be performed for a different, and potentially unauthorized, package.”

Has this vulnerability ever been exploited by attackers? Unfortunately, it’s impossible to say – GitHub only has telemetry that can confirm it hasn’t been exploited since September 2020.

Securing accounts and spotting malicious packages

While the aforementioned avenue for attack is now closed, GitHub is working on blocking two routes often employed by attackers: account takeovers and the publication of malware through accounts established by the attackers themselves.

To prevent account takeovers, GitHub already offers the option of setting up two-factor authentication (2FA), but early next year, using 2FA will start becoming a requirement for maintainers and admins of popular packages on npm.

The announced change was surely influenced by the recent “hijacking” of several popular npm packages – ua-parser-js, coa and rc – made possible by the lack of 2FA protection on the developers’ accounts.

“Even though high-impact account takeovers are relatively infrequent, when compared to direct malware published from attackers using their own accounts, account takeovers can be wide reaching when targeted at maintainers of popular packages. While our detection and response time to popular package takeovers has been as low as 10 minutes in recent incidents, we continue to evolve our malware detection capabilities and notification strategies toward a more proactive response model,” Hanley said.

GitHub is also working on improving their automated monitoring and analysis capabilities to spot malware and other malicious code as soon as it is published on all existing accounts.

More about
  • account hijacking
  • GitHub
  • JavaScript
  • malware detection
  • software development
Share this

Featured news

  • While governments pass privacy laws, companies struggle to change
  • What a perfect day in data privacy looks like
  • We can’t rely on goodwill to protect our critical infrastructure
Guide: How virtual CISOs can efficiently extend their services into compliance readiness

Sponsored

eBook: 4 ways to secure passwords, avoid corporate account takeover

Here’s the deal: Uptycs for all of 2023 for $1

2022 Cloud Data Security Report

Don't miss

While governments pass privacy laws, companies struggle to change

Trends that impact on organizations’ 2023 security priorities

What a perfect day in data privacy looks like

Patch your Jira Service Management Server and Data Center and check for compromise! (CVE-2023-22501)

We can’t rely on goodwill to protect our critical infrastructure

Cybersecurity news
Help Net Security - Daily information security news with a focus on enterprise security.
© Copyright 1998-2023 by Help Net Security
Read our privacy policy | About us | Advertise
Follow us