A popular NPM package with more than 3.5 million weekly downloads was recognized as vulnerable to attack with account Takeover, ATO). This is stated in report IB -Illustria.
According to experts, the package can be compromised by restoring the domain name with an expired validity for one of its accompanying, and then reset the password. Although the NPM protection tools limit users by the presence of only one active email address for each account, Illustria was able to reset GitHub password using a restored domain.
The attack provides a cybercriminator with access to the GitHub account package, which actually allows you to publish Trojan versions in the NPM registry, which can be used to conduct large -scale attacks on the supply chain.
This is achieved through the use of GitHub Actions, configured in the repository for automatic publication of packages when sending new code changes. Despite the fact that the account of the accompanying NPM is correctly configured (with two -factor authentication), this automation token bypasses it.
Illustria did not reveal the name of the module, but noted that she contacted his accompanying person, who since then took steps to protect the account.
January 17, Checkpoint discovered 16 malicious NPM packages loaded with one user under the nickname “Trendava”. Most packages have a name resembling Internet speed testers, but they are all cryptocurrency miners.