Bars Icon

NPM fixes private package names leak, serious authorization bug

29-12-2023 12:05 PM

The largest software registry of Node.js packages, npm, has disclosed multiple security flaws that were identified and remedied recently.The first flaw concerns leak of names of private npm packages on the npmjs.com’s ‘replica’ server—feeds from which are consumed by third-party services.Whereas, the second flaw allows attackers to publish new versions of any existing npm package that they do not own or have rights to, due to improper authorization checks.

This week, npm’s parent company, GitHub has disclosed two security flaws that were identified and resolved in the npm registry between October and this month.

The first one is a data leak on the npmjs’ replication server, which was caused by ‘routine maintenance.’ The leak exposed a list of names of private npm packages, but not the content of these packages during the maintenance window.”During maintenance on the database that powers the public npm replica at replicate.npmjs.com, records were created that could expose the names of private packages,” states GitHub Chief Security Officer, Mike Hanley in a blog post.
“This briefly allowed consumers of replicate.npmjs.com to potentially identify the names of private packages due to records published in the public changes feed. No other information, including the content of these private packages, was accessible at any time.”
Note, while the content of the private packages was not exposed, knowledge of the private package names is enough for threat actors to conduct targeted dependency confusion and typosquatting attacks in an automated fashion, as we have seen time and time again.

The leak specifically concerns scoped private npm libraries that look like “@owner/package” and were created before October 20th. Names of such libraries were exposed “between October 21 13:12:10Z UTC and October 29 15:51:00Z UTC,” according to GitHub.The data leak was identified by GitHub on October 26th and by the 29th, all records containing private package names were deleted from the npm’s replication database. Although, GitHub does warn that despite this, the replicate.npmjs.com service is consumed by third parties who may, therefore, continue to retain a copy or “may have replicated the data elsewhere.”
To prevent such an issue from recurring, GitHub has made changes to its process of generating the public replication database which is expected to eliminate the possibility of leaking private package names in the future.