In this video for Help Net Security, Yakir Kadkoda, Lead Security Researcher, and Assaf Morag, Lead Data Analyst at Aqua Security, talk about new npm flaws that allow attackers to target packages for account takeover.
Npm is the default package manager for Node.js, an open-source, crossplatform JavaScript runtime environment. The npm command line client allows users to access the npm Registry, which host a multitude of public and paid-for private packages.
Recently, the npm Registry implemented a 2FA mechanism, and Aqua Security researchers identified two flaws in it, which attackers can use to target npm packages for account takeover attacks.