GitHub fixed serious npm registry vulnerability, will mandate 2FA use for certain accounts

GitHub has fixed a serious vulnerability that would have allowed attackers to publish new, malicious versions of any existing package on the npm registry.

About the fixed vulnerability

The vulnerability, flagged by security researchers Kajetan Grzybowski and Maciej Piechota, existed because several microservices that handle requests to the npm registry performed inconsistent authorization checks and validation of data.

“In this architecture, the authorization service was properly validating user authorization to packages based on data passed in request URL paths. However, the service that performs underlying updates to the registry data determined which package to publish based on the contents of the uploaded package file,” GitHub’s chief security officer Mike Hanley explained.

“This discrepancy provided an avenue by which requests to publish new versions of a package would be authorized for one package but would actually be performed for a different, and potentially unauthorized, package.”

Has this vulnerability ever been exploited by attackers? Unfortunately, it’s impossible to say – GitHub only has telemetry that can confirm it hasn’t been exploited since September 2020.

Securing accounts and spotting malicious packages

While the aforementioned avenue for the attack is now closed, GitHub is working on blocking two routes often employed by attackers: account takeovers and the publication of malware through accounts established by the attackers themselves.

To prevent account takeovers, GitHub already offers the option of setting up two-factor authentication (2FA), but early next year, using 2FA will start becoming a requirement for maintainers and admins of popular packages on npm.

The announced change was surely influenced by the recent “hijacking” of several popular npm packages – ua-parser-js, coa and rc – made possible by the lack of 2FA protection on the developers’ accounts.

“Even though high-impact account takeovers are relatively infrequent, when compared to direct malware published from attackers using their own accounts, account takeovers can be wide-reaching when targeted at maintainers of popular packages. While our detection and response time to popular package takeovers has been as low as 10 minutes in recent incidents, we continue to evolve our malware detection capabilities and notification strategies toward a more proactive response model,” Hanley said.

GitHub is also working on improving its automated monitoring and analysis capabilities to spot malware and other malicious code as soon as it is published on all existing accounts.