back to article GitHub fixes authorisation vulnerability in the NPM JavaScript package registry

GitHub said it has fixed a longstanding issue with the NPM (Node Package Manager) JavaScript registry that would allow an attacker to update any package without proper authorisation. Chief security officer Mike Hanley posted yesterday about the issue, which was reported by security researchers Kajetan Grzybowski and Maciej …

  1. amanfromMars 1 Silver badge

    Cold comfort ......

    Hanley also revealed that the names of some privately published packages, which should not be listed on the public registry, were inadvertently exposed via a public NPM replica, for about a week. The content of the packages were not accessible, though....

    Sometimes just the name of a private package can reveal the true enough nature of the contents therein.

  2. Anonymous Coward
    Anonymous Coward

    > It is already possible to verify the PGP (Pretty Good Privacy) signature of an NPM package but this only guarantees that the package downloaded matches what was published, and would not help in the case where a package is published but without proper authorisation.

    If the downloaded-from-NPM package hash were matched to a hash stored at the source project location - e.g., github, gitlab, bitbucket, etc. - that *could* be more secure, because it would require two compromises. Provided the source project location and the npm package were truly independent. If the source project location were taken from the npm package.json file then it could obviously be a fake source project location.

    And if the are a dozen or hundreds of dependencies, then manual checking of each hash stored at the source project is infeasible.

    Supposing that source project repos were more secure than the NPM package repos, the source project could be used as a pointer to the NPM repo, along with the expected hash. That shouldn't be too much of a burden on the gitXXX provider in terms of delivery load. Obviously some problems with that plan too - it's still not independent and only requires one compromise - it's yet another standard - the first dependency that does not use it break the security of all dependencies below it.

    1. Anonymous Coward
      Anonymous Coward

      Not really, it would just require coordinated attacks.

    2. Anonymous Coward
      Anonymous Coward

      Npm packages can already be distributed from Github. Scoped packages names are free.

      You can configure npm to publish packages to GitHub Packages and to use packages stored on GitHub Packages as dependencies in an npm project. See:

      https://docs.github.com/en/packages/working-with-a-github-packages-registry/working-with-the-npm-registry

      The packages URL's are therefore effectively scoped and therefore within-same-project packages can easily be seen as coming from the same source. (Scoped packages names on NPM cost $7/month per scope, which is rather expensive.).

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2021