The largest software registry of Node.js packages, npm, has disclosed two major security flaws identified and patched recently.
- GitHub disclosed two recent security issues impacting the mom registry.
- GitHub said it fixed the underlying issue within six hours, but the company cannot be sure the flaw was never exploited in the wild.
- GitHub will start instructing npm maintainers to enable 2FA sometime in the first quarter of 2022.
The largest software registry of Node.js packages, npm, has disclosed two major security flaws identified and patched recently.
The flaw was reported by Kajetan Grzybowski (DrBrix) and Maciej Piechota (haqpl) to GitHub through its bug bounty program on November 2.
The first flaw concerns the leak of names of private npm packages on npmjs.com's 'replica' server—feeds consumed by third-party services.
The leak exposed a list of names of private npm packages but not the content of these packages during the maintenance window.
GitHub identified the data leak on October 26, and by the 29th, all records containing private package names were deleted from the npm's replication database.
The second flaw permits attackers to publish new versions of any existing npm package using an account with improper authorisation checks.
“In this architecture, the authorisation service was properly validating user authorisation to packages based on data passed in request URL paths. However, the service that performs underlying updates to the registry data determines which package to publish based on the contents of the uploaded package file,” wrote GitHub security chief Mike Hanley
“This discrepancy provided an avenue by which requests to publish new versions of a package would be authorised for one package but would be performed for a different, and potentially unauthorised, package.”
GitHub is working to improve the security of the npm registry; it plans to introduce two-factor authentication (2FA) authentication for maintainers and admins of popular packages on the repository; the new feature will be implemented starting with a list of top packages in the first quarter of 2022.
For the latest cyber threats and the latest hacking news please follow us on Facebook, Linkedin, and Twitter.
You may be interested in reading: How to Survive the COVID Time Cyber Security Threats?