GitHub’s commitment to npm ecosystem security | The GitHub Blog – no npm package can historically ben tracked to be authentic
Posted by jpluimers on 2021/11/18
What started as [Wayback/Archive] GitHub’s commitment to npm ecosystem security | The GitHub Blog with this qoute:
on November 2 we received a report to our [Wayback/Archive] security bug bounty program of a vulnerability that would allow an attacker to publish new versions of any npm package using an account without proper authorization. …
This vulnerability existed in the npm registry beyond the timeframe for which we have telemetry to determine whether it has ever been exploited maliciously. … the timeframe for which we have available telemetry, which goes back to September 2020 …
This basically means you cannot trust the authenticity of any npm package published through the registry.
It sparked reactions like these:
- [Archive] npm on Twitter: “an update on recent security incidents across the registry as well as a look into our ongoing investments in maintaining the security of the registry (including 2FA requirements) ⬇️ “
…
You buried the lede big time: arbitrary package publishing vulnerability, for unknown period of time.
…
remember how we discussed what determines a package name? Npm was not sure either
…
you missed the part where they said the vulnerability has been around since before they even put in vulnerability telemetry. There exists no way of knowing which snapshot is safe.
- [Archive] Dustin Ingram on Twitter: “Wow: “we received a report… of a vulnerability that would allow an attacker to publish new versions of any npm package… This vulnerability existed in the npm registry beyond the timeframe for which we have telemetry to determine whether it has ever been exploited maliciously”… “
- [Archive] Kristian Köhntopp on Twitter: “And with this tweet the entire npm ecosystem and every machine npm ever touched turns instantly into a radioactive toxic wasteland.… “
–jeroen
The Wiert Corner - irregular stream of stuff 
Leave a Reply