NPM bug allowed attackers to distribute malware as legitimate packages
The supply chain threat has been dubbed “Package Planting” by researchers at cloud security firm Aqua. Following the responsible disclosure on February 10, the underlying issue was resolved by NPM on April 26.
“Until recently, NPM allowed anyone to be added as a maintainer of the package without notifying these users or obtaining their consent,” Aqua’s Yakir Kadkoda said in a Tuesday report.
This effectively meant that an adversary could create packages containing malware and assign them to trusted and popular maintainers without their knowledge.
The idea here is to add credible owners associated with other popular NPM libraries to the attacker-controlled poisoned package in hopes that this will trick developers into downloading it.
The consequences of such a supply chain attack are significant for a number of reasons. Not only does this give a false sense of trust between developers, but it could also damage the reputation of legitimate package maintainers.
The disclosure comes as Aqua discovered two other flaws in the NPM platform related to two-factor authentication (2FA) that could be misused to facilitate account takeover attacks and release packages malicious.
“The main issue is that any npm user can do this and add other npm users as maintainers of their own package,” Kadkoda said. “Ultimately, developers are responsible for the open source packages they use when building apps.”