CIO News Hubb
Advertisement
  • Home
  • News
  • Operations CIO
  • Visionary CIO
  • IT Management
  • Information Security
  • Contact
No Result
View All Result
  • Home
  • News
  • Operations CIO
  • Visionary CIO
  • IT Management
  • Information Security
  • Contact
No Result
View All Result
CIO News Hubb
No Result
View All Result
Home Information Security

Researchers Hijack Popular NPM Package with Millions of Downloads

admin by admin
February 16, 2023
in Information Security


Feb 16, 2023Ravie LakshmananSupply Chain / Software Security

A popular npm package with more than 3.5 million weekly downloads has been found vulnerable to an account takeover attack.

“The package can be taken over by recovering an expired domain name for one of its maintainers and resetting the password,” software supply chain security company Illustria said in a report.

While npm’s security protections limit users to have only one active email address per account, the Israeli firm said it was able to reset the GitHub password using the recovered domain.

The attack, in a nutshell, grants a threat actor access to the package’s associated GitHub account, effectively making it possible to publish trojanized versions to the npm registry that can be weaponized to conduct supply chain attacks at scale.

This is achieved by taking advantage of a GitHub Action that’s configured in the repository to automatically publish the packages when new code changes are pushed.

“Even though the maintainer’s npm user account is properly configured with [two-factor authentication], this automation token bypasses it,” Bogdan Kortnov, co-founder and CTO of Illustria, said.

NPM Package

Illustria did not disclose the name of the module, but noted that it reached out to its maintainer, who has since taken steps to secure the account.

This is not the first time developer accounts have been found vulnerable to takeovers in recent years. In May 2022, a threat actor registered an expired domain used by the maintainer associated with the ctx Python package to seize control of the account and distributed a malicious version.

Found this article interesting? Follow us on Twitter  and LinkedIn to read more exclusive content we post.





Source link

Tags: computer securitycyber attackscyber newscyber security newscyber security news todaycyber security updatescyber updatesdata breachhacker newshacking newshow to hackinformation securitynetwork securityransomware malwaresoftware vulnerabilitythe hacker news
Previous Post

Taylor Swift ticket scams: How to stay safe

Next Post

InitiativesofIA

Related Posts

Information Security

Ukrainian Military Targeted in Phishing Campaign Leveraging Drone Manuals

by admin
September 26, 2023
Information Security

What is Digital Identity? | Avast

by admin
September 26, 2023
Information Security

New Apple Zero-Days Exploited to Target Egyptian ex-MP with Predator Spyware

by admin
September 25, 2023
Information Security

New Advanced Backdoor with Distinctive Malware Tactics

by admin
September 24, 2023
Information Security

New Variant of Banking Trojan BBTok Targets Over 40 Latin American Banks

by admin
September 23, 2023
Next Post

InitiativesofIA

Recommended

InnovationBreakthrough Book Introduction Chapter 1 Breakthrough Innovation Types ~ Future of CIO

September 26, 2023

Ukrainian Military Targeted in Phishing Campaign Leveraging Drone Manuals

September 26, 2023

What is Digital Identity? | Avast

September 26, 2023

5 Essential Competency Areas for Success

September 26, 2023

Innovation Breakthrough Chapters Review ~ Future of CIO

September 25, 2023

New Apple Zero-Days Exploited to Target Egyptian ex-MP with Predator Spyware

September 25, 2023

© CIO News Hubb All rights reserved.

Use of these names, logos, and brands does not imply endorsement unless specified. By using this site, you agree to the Privacy Policy and Terms & Conditions.

Navigate Site

  • Home
  • News
  • Operations CIO
  • Visionary CIO
  • IT Management
  • Information Security
  • Contact

Newsletter Sign Up

No Result
View All Result
  • Home
  • News
  • Operations CIO
  • Visionary CIO
  • IT Management
  • Information Security
  • Contact

© 2022 CIO News Hubb All rights reserved.