In the repository of packages npm identified security problem, allowing the owner of the package to add to the number of accompanying any user without receiving From this user consent and without informing about perfect action. The problem is aggravated by the fact that after adding a third -party user to the number of accompanying people, the original author of the package could remove himself from the list of accompanying people and a third -party user remained the only person responsible for the package.
The creators of harmful packages could take advantage of the problem to add to the number of well -known developers or large companies to increase users’ trust and create an illusion that honored developers are responsible for the package, although in reality they have nothing to do with it and do not even know about it existence. For example, the attacker could place a malicious package, change the accompanying person and invite users to test a new development of a large company. Vulnerability could also be applied to outline the reputation of certain developers, representing them as initiators of dubious actions and harmful actions.
GITHUB was notified of the problem on February 10 and eliminated it in NPMJS.com on April 26 through the introduction of mandatory confirmation of consent to another project. The developers of a large number of NPM packages are recommended to check if there are no bindings added to them in the list of packets added without their consent.