GITHUB published The results of the analysis of the attack, as a result of which attackers on April 12 We gained access to cloud environment in the Amazon AWS service used in the NPM project infrastructure. The analysis of the incident showed that the attackers gained access to the reserve copies of the SKIMDB.NPMJS.com host, including the backup of the database with the account of approximately 100 thousand NPM users as of 2015, which includes passwords, names and email.
Password Hashi were created using the PBKDF2 or Sha1 algorod with salt, which in 2017 were replaced with a more persistent BCRYPT selection. After identifying the incident, passwords covered by the leak were reset, and users sent a notification about the need to install a new password. Since on April 1, NPM includes mandatory two -factor verification with confirmation by email the danger of compromising users is evaluated as insignificant.
In addition, all manifesto files and metadata of private packages as of April 2021, CSV files with the current list of all names and versions of private packages, as well as the contents of all private packages of two Github customers (names are not in the hands of the attackers. open). As for the repository itself, the analysis of the traces and verification of Hash packets did not reveal the introduction of changes to NPM packages and the publication of fictitious new versions of packages.
The attack was made on April 12 using the stolen Oauth tokens generated for two third-party GitHub-integrators-Heroku and Travis-CI. Using tokens, the attackers were able to extract the key to access to the API Amazon Web Services from private repositories, used in the NPM project infrastructure. The received key made it possible to access the data stored in the AWS S3 service.
Information about previously identified serious problems with the confidentiality of user data processing on NPM servers – in the internal logs, the passwords of some NPM users, as well as access to NPM, were preserved in the open form. During the integration of the NPM with the GITHUB logo system, the developers did not provide confidential information from these requests to NPM services sent to the log. It is claimed that the shortage was eliminated, and the logs were cleared even before the attack on NPM. Access to the logs, including open passwords, had only GitHub internal employees.