Critical vulnerabilities in NPM would allow hackers to publish new versions of any package

GitHub researchers announced the detection of two severe security flaws in NPM, the Node.js package manager. According to the report, one of these flaws could be exploited by threat actors to publish malicious versions of any package. Mike Hanley, from GitHub, reported that one of these bugs would also have allowed any user to access any private NPM packages created before October 20.

According to Hanley, during the maintenance of the database that feeds the public replica of NPM in, some records was created that could put the names of private packages at risk. This scenario allowed that, for a very short period, consumers of could identify the names of private packages due to the records displayed as public changes.

The report states that users in general could not access any other information, although they add that the affected packages were in the @owner/package format and were created before the aforementioned date. The information would have remained exposed between October 21 and 29.

On the other hand, the second flaw would allow threat actors to publish new versions of any NPM package using an account without security measures. The vulnerability was reported to GitHub’s rewards program in early November and was addressed on the same day as the report.

Apparently, this flaw exists due to data checks and validation errors in various microservices that handle requests to the NPM record. According to Hanley, in the current architecture, the authorization service correctly validated user authorization for packets based on the data transmitted in the paths of the request URL; nonetheless, the service that performs underlying updates to the registry data determines which package to publish based on the contents of the uploaded package file.

The good news is that GitHub has not found evidence of active exploitation of these flaws, although Hanley acknowledges that the vulnerability predates the maintenance of these security records, so we will have to wait for the final reports to be issued.

To learn more about information security risks, malware variants, vulnerabilities and information technologies, feel free to access the International Institute of Cyber Security (IICS) websites.