GitHub has fixed two node package manager (npm) registry vulnerabilities, one of those could allow an attacker to publish new versions of an npm package without proper authorization.
Mike Hanley of GitHub recently described the fixed issues and commitment to security in a recent blog post:
“As stewards of the registry, the security and trustworthiness of npm is crucial to all of us at GitHub, and we believe transparency is critical to maintaining that trust. Today, we are disclosing two recent security issues impacting the npm registry itself and the steps we’ve taken toward remediation.”Mike Hanley, GitHub
The first issue was related to how the database hosting the public npm replica (replicate.npmjs.com) created records that could expose the names of private packages.
“This briefly allowed consumers of replicate.npmjs.com to potentially identify the names of private packages due to records published in the public changes feed,” Hanley stated.
The second issue would allow an attacker to use an account without proper authorization to publish new versions of an npm package.
“We determined that this vulnerability was due to inconsistent authorization checks and validation of data across several microservices that handle requests to the npm registry,” Hanley added.
GitHub emphasized the company will continue to protect registry users from account takeovers with two-factor authentication (2FA), leverage security bug bounty program and continue to invest into npm secuirty and broader security supply chain.