“I just noticed that ‘foreach’ on NPM is controlled by a single maintainer,” Vick wrote in a Twitter post Monday. “I also noticed they let their domain expire, so I bought it before anyone else did. I now control ‘foreach’ on npm, and the 36,826 projects that depend on it. “
That’s not quite the story – he probably could have taken control but didn’t. Vick acquired the expired domain that was used by the maintainer to create an NPM account and is associated with the “foreach” package on NPM. But he said he doesn’t continue with resetting the password on the email account linked to the “foreach” package, which is retrieved nearly six million times a week.
Anyone snooping around will find accounts that are easy to support this way. I wasn’t lucky or special
In an email to The registerVick explained, “As an NPM team member pointed out, the emails associated with NPM accounts and the emails used on the package itself can sometimes be different, but even if that’s the case controlling an owner account would be a case of easy social engineering to customer support I haven’t logged into the account because again it crosses a line I just emailed password reset and I bailed out.
“Regardless of the degree of control I have over this particular package, which is unclear, NPM admits that this particular expired domain issue is a known issue, citing this 2021 [research paper] which says, “We also found 2,818 maintainer email addresses associated with expired domains, allowing an attacker to hijack 8,494 packages by taking control of NPM accounts.”
“In other words, anyone snooping around will find accounts that are easy to support this way. I haven’t been lucky or special.”
His view, which he’s been trying for several years to communicate to those overseeing NPM – part of GitHub since March 2020 – is that taking over a popular project’s NPM account to carry out an attack on the software supply chain continues to be too easy.
“Git at least built in code signing, and the NPM team wasn’t even using it…meaning anyone could even spoof code commits like any of their own in-house developers “, explained Vick in an e-mail to The register.
“I was frustrated enough in 2020 that I made the potentially ill-advised choice to send my status message and calls to action to the NPM team in the form of a pledge to their own repository. To drive the point home, I demonstrated that I could impersonate one of their security officers (Sorry, Adam).”
He said he also pointed out that it is trivial to support major NPM accounts as most do not have phishing-resistant 2FA enabled.
Vick explained his rationale in a comment on his written engagement a few days later. “Major e-commerce platforms, major financial companies like PayPal, several large banks, as well as most major crypto-asset exchanges rely on NPM packages for critical infrastructure where billions of dollars are at stake” , he wrote.
“I work with many of these companies in the security space and the level of life ruining theft I regularly see up close due to vulnerable/hacked packages or lack of 2FA on critical accounts is heartbreaking.”
Denomination and shame
Vick went so far as to set up, with the help of John Naulty Jr, “an NPM package maintainer spreadsheet with terrible security practices”. The spreadsheet was featured in an NPM security blog post by Vick and Naulty that was published the same day as the malicious commit.
Naulty, a software security engineer, said The register in a phone interview that he and Vick were motivated to do something about the event stream incident. He said those named on the spreadsheet were largely receptive to their appeal and many had adopted better security practices.
And he credits Vick’s orphaned commit for catching someone’s attention in the Microsoft, GitHub, and NPM ecosystem. “Eventually they released a feature that now indicates that this commit is not attached to any branch of this organization,” he said.
We all trust strangers on the internet to give us good candy from their truck
Naulty said the SolarWinds attack that emerged in late 2020 really focused attention on supply chain security and led a number of startups to focus on the space. And he credited projects like OpenSSF with pushing to improve supply chain security.
Naulty said other packaging ecosystems like PyPI had similar issues and credited the open source community for at least making an effort. He said NPM security is improving, but there are still many types of attacks that can be carried out.
“We all trust strangers on the internet to give us good candy from their truck,” he said.
It’s always a risk. On Tuesday, JFrog reported an NPM supply chain attack targeting German industrial companies Bertelsmann, Bosch, Stihl and DB Schenker via malware in NPM packages – although the attack appears to be a penetration test that attracted the attention of security companies.
And it’s been a risk for years. Vick’s post describes an effort dating back nearly a decade to implement packet verification in NPM that was abandoned as too difficult.
“As a community we created a dumpster fire together and I think we need major changes to fix it now,” Vick wrote.
2FA all the way
GitHub responded to the commotion by announcing a plan in December 2021 to enroll all NPM maintainers for login verification and rolling out the initial phase of this program in February, with 2FA mandatory for the top 100 package maintainers.
On Tuesday, GitHub launched a beta test of its improved 2FA implementation for all NPM accounts. According to open source product manager Myles Borins, NPM accounts now support: multiple second factors, including security keys, biometric devices, and authentication apps; a new mention of 2FA configuration for the management of keys and recovery codes; full CLI support; and the ability to review and regenerate recovery codes.
Borins also said that at the end of the month, May 31, GitHub will register the next mandatory 2FA cohort, the maintainers of the top 500 npm packages. Then, later this year, a final group of maintainers — those whose packages have more than a million weekly downloads or more than 500 dependents — will need to adopt 2FA.
GitHub declined to comment on this issue beyond what is stated in the blog post.
Vick says he’s thrilled with the announcement, which came as a surprise.
“The timing is kind of funny though, because this morning Github/NPM announced that they’re finally adding MFA hardware support to NPM, which is a huge win,” he said. “I’m really happy to see this because it’s the best way to protect accounts. We in the security community have been asking for this for years.
“That said, it still doesn’t protect code if a developer fails to properly configure 2FA, or has an email with weak 2FA, as most still do today. A malicious or compromised NPM employee could also tweak any code he wants right now, and with some of that code being responsible for the movement of billions of dollars by big fintech companies, I don’t envy them walking around with such big targets on their backs. “
Vick argues that user code signing can solve all of these problems. “I really hope NPM takes this step soon,” he said. “I’m speaking with a member of their team tomorrow and we’ll see where that leads.” ®