Researchers have discovered a severe vulnerability in the npm registry that could harm developers. Exploiting the npm bug allowed adding random ‘maintainers’ sneakily to their malicious packages. Following the bug report, the npm team patched the flaw.
npm Registry Bug Allowed Adding Maintainers Sneakily
As elaborated in a recent post, researchers from Aqua Security caught an npm registry bug allowing adding maintainers randomly.
A logical flaw existed in the platform registry that allowed a package creator to add other users as maintainers. Dubbed “package planting,” this activity didn’t require the other users’ input, nor would notify them. Hence, users might get registered unknowingly as ‘maintainers’ to malicious packages.
This behavior would not only affect the user’s reputation but also impart a false legitimate impression to the malicious packages.
Explaining how this would trick general users and wreak havoc, the researchers stated,
For instance, the package lodash is highly popular and credible. If we add its owners Mathias, jdalton, and bnjmnt4n to a new, malicious package, many developers may be tricked into thinking that this package is legitimate and even appealing.
An attacker could exploit this bug in various scenarios. For example, the attacker would create a malicious package and add reputable users as maintainers. Then, the attacker could also remove its profile from the package, leaving behind the reputable maintainers only, to add legitimacy to the package and attract users. Likewise, after performing all these steps, an attacker could report the package to npm to discredit the maintainers.
Upon discovering the vulnerability, the researchers reached out to the npm team, which then promptly fixed the bug.
Hence, adding any maintainer to a package sends an invitation email to the user, seeking confirmation. This alerting system prevents the stealth addition of users to malicious packages.
Nonetheless, the researchers advise npm users to monitor the packages listed under their names to spot any unknown packages.
Let us know your thoughts in the comments.