February 17, 2023
A group of researchers have hijacked a popular NPM package with millions of downloads. NPM (Node Package Manager) is a library and registry for JavaScript software packages, and is relied on by over 11 million developers worldwide.
The package in question is called “mixed-toc”, and is used to generate tables of contents for Markdown documents. The vulnerability affected version 1.2.2 of the package and allowed attackers to hijack the maintainers’ accounts and publish malicious code to the NPM registry.
According to Illustria, the vulnerability affected over 1,000 packages that depended on the “mixed-toc” package, potentially leaving millions of users exposed to the risk of attack. Illustria urged users to update to the latest version of the package (version 1.2.3) and advised NPM users to stay vigilant against security vulnerabilities in popular packages.
The researchers were able to steal tokens and bypass two-factor authentication by exploiting a vulnerability in the package’s code. This allowed them to take control of the package and distribute a malicious version of it. The malicious version contained a backdoor that would allow the attacker to take control of the user’s system and grant a threat actor access to the package’s associated GitHub account, effectively making it possible to publish trojanized versions to the npm registry that can be weaponized to conduct supply chain attacks at scale.
The researchers responsible for the discovery of the vulnerability are from a company called Illustria. They reported the vulnerability to the package’s maintainers, who were able to quickly fix the issue and issue a new, secure version of the package.
“The package can be taken over by recovering an expired domain name for one of its maintainers and resetting the password,” Illustria said in a report. This happened after Illustria first purchased the domain for $8.46.
Even though npm has a mechanism that limits user accounts to only one active email per account, Illustria added that the package’s associated GitHub account is recoverable. A CI/CD automation token (used in automatically publishing packages) can be extracted from the project’s pipeline and used to publish new malicious packages on behalf of the maintainer account with access to the GitHub account.
The sources for this piece include an article in TheHackerNews.
