Vulnerability allowed to release a update for any package in NPM repository

GitHub revealed information about two incidents in the repository infrastructure NPM packages. November 2, third-party security researchers ( Kajetan Grzybowski and Maciej Piechota ​​a >) within the program Bug Bounty reported on availability in the Vulnerabilities NPM repository, allowing you to publish a new version of any package using your account for this, Not authorized to execute such updates.

Vulnerability was caused by an incorrect verification of user authority in the microservice code processing requests from NPM. The authorization service performed verifying the rights of access to packets based on data transmitted in the request, but another service that downloads the update to the repository, determined the package for publishing based on the contents of the metadata in the loaded package. Thus, the attacker could request the update publication for his package to which it has access, but to specify information about another package in the packet itself, which would eventually be updated.

The problem was eliminated 6 hours after the appearance of information about vulnerability, but the problem was present in NPM longer than the logs with telemetry. GitHub argues that traces of making attacks using this vulnerability from September 2020, but there is no guarantee that the problem was not exisluded earlier.

The second incident occurred on October 26. During the technical work with the database of this service Replicate.npmjs.com, the presence of confidential data available for external database requests that disclose information on the names of the internal packets, which mentioned in the change log, was revealed. Information on such names can be used to make attacks on dependencies in internal projects (in February, such an attack made it possible to execute code on PayPal, MicroSoft servers, Apple, Netflix, Uber and 30 more companies).

In addition, in connection with the frequent cases of capturing the repository of large projects and the promotion of malicious code through the compromise of developers accounting records, Github made a decision

/Media reports.