Read on Twitter
1. Buy expired NPM maintainer email domains.
2. Re-create maintainer emails
3. Take over packages
4. Submit legitimate security patches that include package.json version bumps to malicious dependency you pushed
5. Enjoy world domination.
2. Re-create maintainer emails
3. Take over packages
4. Submit legitimate security patches that include package.json version bumps to malicious dependency you pushed
5. Enjoy world domination.
I just noticed "foreach" on npm is controlled by a single maintainer.
I also noticed they let their domain expire, so I bought it before someone else did.
I now control "foreach" on NPM, and the 36826 projects that depend on it.
I also noticed they let their domain expire, so I bought it before someone else did.
I now control "foreach" on NPM, and the 36826 projects that depend on it.
@MylesBorins noted owner emails don& #39;t always match account emails which can offer limited mitigation. Social engineering to account support with an owner email is plan b.
Thankfully better MFA started rolling out today.
Now we just need code signing. https://twitter.com/mylesborins/status/1524065541648007169">https://twitter.com/mylesbori...
Thankfully better MFA started rolling out today.
Now we just need code signing. https://twitter.com/mylesborins/status/1524065541648007169">https://twitter.com/mylesbori...
Additional context on this thread was published in this article on @TheRegister including past efforts with my friend @JohnNaulty trying to call attention to NPM and Github supply chain security issues. https://twitter.com/TheRegister/status/1524156828271132673">https://twitter.com/TheRegist...
The original maintainer has pushed a new release with an updated email address.
I have no viable path to this package now, even via social engineering with the old owner email.
My intent was to make a point to the community, which seems made now. :) https://github.com/manuelstofer/foreach/releases/tag/2.0.6">https://github.com/manuelsto...
I have no viable path to this package now, even via social engineering with the old owner email.
My intent was to make a point to the community, which seems made now. :) https://github.com/manuelstofer/foreach/releases/tag/2.0.6">https://github.com/manuelsto...
Just had a great chat with @MylesBorins on @npmjs security.
They are actively implementing account takeover defenses and there is at least some interest in bigger picture solutions like signing and web of trust.
I& #39;ll try to work with them vs against them moving forward.
They are actively implementing account takeover defenses and there is at least some interest in bigger picture solutions like signing and web of trust.
I& #39;ll try to work with them vs against them moving forward.
TL;DR: IATA.
Even if an org has been dismissive of security problems historically, reach out again before putting them on blast.
Leadership and goals of companies can change so it is good to keep a jar of second chances handy.
Even if an org has been dismissive of security problems historically, reach out again before putting them on blast.
Leadership and goals of companies can change so it is good to keep a jar of second chances handy.
Last update before I ignore social media for a few months again so I can resume being productive.
I contacted the foreach maintainer to close other account takeover vectors I didn& #39;t make public, and am returning their domain.
Maintainers: WebAuthn and sign all the things.
I contacted the foreach maintainer to close other account takeover vectors I didn& #39;t make public, and am returning their domain.
Maintainers: WebAuthn and sign all the things.