GitHub will be requiring two-factor authentication (2FA) for maintainers of popular NPM packages, following recent exploits involving popular NPM package ua-parser-js found to contain malicious code.

While ua-parser-js is used in apps/websites to discover the device or browser a person is using from User-Agent data, a computer with the software installed could allow a remote attacker to obtain sensitive information. Also, GitHub disclosed a vulnerability that could allow an attacker to publish new versions of any NPM package using an account without a proper authorization.

The new 2FA policy will start with a cohort of top NPM packages in the first quarter of 2022, according to a bulletin published by GitHub on November 15.

Major incidents on the registry where NPM accounts were Compromised by malicious actors



GitHub discovered an issue in the routine maintenance of a public NPM service, which during maintenance on the database of NPM replica, data were generated that could expose the names of private NPM packages.



It allowed consumers of the replica to identify the names of private packages due to records in the public changes feed. The names of packages in the format of @owner/package created before October 20 were all exposed for a period between October 21 to October 29, before work started on a fix and on determining scope of the exposure.

However, the records containing the private package names have been removed from the replicate.npmjs.com service and changes made to prevent the reoccurrence of the issue.

What to do when You have infected package installed or running on your System?



If a PC has an infected package installed or running, it should be considered fully compromised, all information and secret keys stored on that computer should be rotated from a different computer immediately.

GitHub also recommends that the package should be removed, but as total control of the compromised computer may have been given to the threat actors, there isn't any guarantee that removal of the package will remove the malicious software.

GitHub to mandate 2FA for maintainers of top NPM packages

GitHub will be requiring two-factor authentication (2FA) for maintainers of popular NPM packages, following recent exploits involving popular NPM package ua-parser-js found to contain malicious code.

While ua-parser-js is used in apps/websites to discover the device or browser a person is using from User-Agent data, a computer with the software installed could allow a remote attacker to obtain sensitive information. Also, GitHub disclosed a vulnerability that could allow an attacker to publish new versions of any NPM package using an account without a proper authorization.

The new 2FA policy will start with a cohort of top NPM packages in the first quarter of 2022, according to a bulletin published by GitHub on November 15.

Major incidents on the registry where NPM accounts were Compromised by malicious actors



GitHub discovered an issue in the routine maintenance of a public NPM service, which during maintenance on the database of NPM replica, data were generated that could expose the names of private NPM packages.



It allowed consumers of the replica to identify the names of private packages due to records in the public changes feed. The names of packages in the format of @owner/package created before October 20 were all exposed for a period between October 21 to October 29, before work started on a fix and on determining scope of the exposure.

However, the records containing the private package names have been removed from the replicate.npmjs.com service and changes made to prevent the reoccurrence of the issue.

What to do when You have infected package installed or running on your System?



If a PC has an infected package installed or running, it should be considered fully compromised, all information and secret keys stored on that computer should be rotated from a different computer immediately.

GitHub also recommends that the package should be removed, but as total control of the compromised computer may have been given to the threat actors, there isn't any guarantee that removal of the package will remove the malicious software.

No comments