Expired domain leaves npm module with 3.5m downloads vulnerable

Expired domain leaves npm module with 3.5m downloads vulnerable

Welcome to the latest edition of Chainmail: Software Supply Chain Security News, curated by the team at ReversingLabs. This week: a report by the firm Illustria reveals that a popular npm open source module with 3.5m weekly downloads was vulnerable to being hijacked.

This Week’s Top Story

Researchers reveal npm module vulnerable to hijacking

Security researchers at the firm Illustria wrote about their discovery of a shocking security lapse that left a popular npm module with more than 3.5 million weekly downloads vulnerable to hijacking. In a blog post, Bogdan Kortnov, the CTO at Illustria, wrote that researchers at his company discovered the flaw in the npm module, which he declined to name, during a customer onboarding exercise. The module in question was listed in one of a number of manifest files Illustria reviewed for supply chain risks. Upon further investigation, Illustria researchers realized that a domain associated with one of the popular module's maintainers had expired and was for sale. That allowed the researchers to acquire the domain and then use their control over it to "recover" the maintainer's email account.

With that, the researchers were able to reset a password on a GitHub account associated with the package and recover a CI/CD automation token from the project’s pipeline. That token subsequently allowed the researchers to bypass two factor authentication used to secure the maintainer account and effectively take control of the project. After their discovery, the Illustria researchers contacted the original maintainer and helped them to recover the expired domain.

The incident underscores the tenuous security surrounding even popular and widely used open source modules, which are often created and maintained by individuals or small groups of unpaid volunteers. In late 2021, for example, an npm package, UA-Parser-JS, with millions of weekly downloads was hijacked and used to distribute cryptomining and password-exfiltrating malware.

Experts say that more oversight and investment in open source software is needed to avoid a so-called "tragedy of the commons," in which a failure by a community of users to invest in- and care for shared goods results in the eventual decay of those goods.

ReversingLabs named notable vendor by Forrester.

News Roundup

Here are the stories we’re paying attention to…

Malicious PyPI campaign reveals new attacker methods

The security firm Phylum warned recently about the discovery of more than 400 packages on the Python Package Index (PyPI) repository with malicious payloads. As Dan Goodin at Ars Technica notes in a recent article on the incident, the attack relied on well known attack techniques, such as typosquatting on the names of popular PyPI modules. But it also revealed a new approach to obfuscation, with the new malicious packages creating function and variable identifiers in what appear to be random 16-bit combinations of Chinese language ideographs to disguise the malicious behavior. (Ars Technica)

CNCF Director: shift left brings security troubles

In a speech at CloudNativeSecurityCon in Seattle, Priyanka Sharma, the Cloud Native Computing Foundation (CNCF) Executive Director, told attendees that, even as the "shift left" characterized by the embrace of DEVOPS and CI/CD methodologies and tools has turbo-charged development, it has also led to “more exposed edges and nodes with attack surfaces and ultimately less control.” The fix? Organizations need to focus on training and education to break down "silos." Also, practitioners and developers should take a cue from the open source software ecosystem and "share their development and deployment expertise," she said. "When we work together, we cover far more ground than any single organization.” (The New Stack)

Docker SBOM: keeping a check on security risks

The Log4j vulnerability and SolarWinds supply chain attacks alerted us that software supply chains are at great risk of being targeted by attackers. In response, Docker has introduced a Software Bill of Materials (SBOM) format for container images. It has announced the docker sbom CLI command in Docker Desktop 4.7.0 as a CLI plugin, which lists all the components of the container image. It is an experimental functionality for now, which has been developed as an open source collaboration with Anchore through the Syft tool. (Opensourceforu.com)

U.S. Government gears up to tackle supply chain security

On the sidelines of the recent State of Open Con 23 conference in London, UK, Camille Stewart Gloster, Deputy National Cyber Director at the U.S. Office of the National Cybersecurity Director (ONCD) told InfoSecurity that she is looking to build a diverse team that can tackle the complex supply chain security risk, including the potential for governments exploit open source vulnerabilities to spy on citizens. Stewart Gloster said that the federal government is not rushing to make interventions in the open source space, but is carefully analyzing the issues and understanding where intervention is necessary. “Our first order of business is to understand the challenges and opportunities and what our role in that is,” explained Stewart Gloster. (InfoSecurity)

Resource Roundup

Upcoming Webinar | Secrets Revealed: CircleCI's Breach & Lessons Learned 

On Wednesday, February 22nd, join Matt Rose from ReversingLabs and Chris Wilder, Research Director at TAG Cyber, as they dig into the details of the recent CircleCI hack, talk about lessons learned from the attack and discuss what organizations of all sizes can do to address of secrets across the SDLC.

Software Supply Chain Threats Surge as Main Driver in SCA Evolution

The leading market analyst firm Forrester released its 2023 Software Composition Analysis, recognizing ReversingLabs among notable vendors in the SCA space. Download a complimentary copy of Forrester’s SCA report and learn why ReversingLabs is listed among 23 notable vendors.

Honored to be mentioned here ReversingLabs Stay tuned for more 😉

To view or add a comment, sign in

More articles by ReversingLabs

Insights from the community

Others also viewed

Explore topics