Patchstack Weekly, Week 46: Attackers Targeting Software Repositories

Published 19 November 2021
Updated 19 July 2023
Robert Rowley
Author at Patchstack
Table of Contents

Welcome back to the Patchstack Weekly Security Update for November 18th, 2021!

In this update, I will talk about some security concerns behind package management systems and cover GitHub’s commitment to security as it pertains to their own package management system, the NPM registry.

I will then go on to answer the questions: “Are attackers targeting software repositories?” and “How could they monetize software package repositories?”

Vulnerability news

GitHub’s commitment to security

NPM or the Node Package Manager is a popular package management system for Node.js and had some important security news announced recently.

The GitHub security team announced their commitment to NPM security and openly spoke about how NPM packages are being targeted by attackers. How are the packages being hacked?

A common flaw: weak passwords leading to the developer’s account being taken over.

Which Node Package Manager Should I Use? (2019) | by Timothy Kaing | Medium
Picture from: “Which Node Package Manager Should I Use? (2019)” by Timothy Kaing

It is unfortunate that these accounts are being hacked, but a reminder that a secure password is always necessary.

The article goes on to report 2 security issues found on the NPM services recently. One data leak and one severe bug were reported to their bug bounty program. The data leak was related to private repository names, having been exposed during routine maintenance, this was a temporary problem with likely minimal impact.

The severe issue was a bug found in the authentication mechanisms, leading to a possible scenario where someone could publish updates to a package without the need for authentication. This second unauthenticated package update issue was reported to GitHub by two bug bounty researchers and could have been a serious issue had this information gotten into the wrong hands.

GitHub reports that they saw no evidence of this vulnerability being used by malicious parties as far back as their logs go.

Is NPM safe?

Yes, NPM is safe. Do not be startled by the contents of the post, it was GitHub showing you some good old fashion honesty and transparency. As they are the stewards of NPM’s security, this is a good thing.

GitHub also went on to let you know they will be enforcing stronger authentication requirements (2FA) for the account that have access to popular packages in the registry. Users of NPM can be assured that the packages and systems managing the packages, can be trusted.

Weekly knowledge

Software repositories like NPM are ubiquitous now, so the concern about the security of software repositories is something everyone who uses technology should be aware of.

On your phone, you probably download apps via the Apple app store or Google play. Browsers support extensions. Docker has Docker Hub. WordPress websites have plugins and theme repositories.

Even the languages themselves have repositories to help with the management of libraries: PHP had packagist, Ruby distributes libraries via RubyGems, Python uses Pip, and Javascript … well … Javascript has multiple solutions for managing libraries, like Yarn or NPM.

Are attackers targeting software repositories?

Yes, and this threat goes beyond NPM. There have been similar issues with bad packages being served via browser extensions in WordPress plugins and even through Google Play.

patchstack weekly

In the GitHub post, they said these attacks are successful due to developers choosing insecure passwords, but could also be when a package owner decides to betray their users and begins pushing malicious code, this would be an unethical way to monetize a product offered for free.

What are attackers doing to monetize these packages?

The attackers could do anything on the device since they’re able to run code. I would suspect a crypto-miner could be fruitful, but they could just as easily use the infected device, browser, or website to add one more node in a large bot-net to perform further attacks.

This is why the security stewards of these repositories are critical for the ecosystem to be safe and trusted. Be it Javascript, WordPress, Chrome, Android, or your operating system, if attackers gain control of a popular package on a trusted repository, someone needs to be there to stop them.

Thanks and appreciation

Thanks to this Patchstack weekly goes out to all of the package repository security stewards, which likely have a variety of titles, backgrounds, and experience, but they are the ones committed to reviewing and protecting their respective code repository.

Thanks go out to those taking on this task which may normally be a thankless job. But not today, I share my thanks to you for being a line of defense that keeps our trust in a community of developers who wish to distribute code for the world to use.

Special thanks go out to the GitHub security team for the transparent write-up about security within the NPM registry and to the two security researchers Kajetan Grzybowski (DrBrix) and Maciej Piechota (haqpl) for finding and reporting the critical issue they found.

I will be back with more security tips and news on next week’s edition of Patchstack Weekly Security Update!

Read the last week’s Patchstack weekly update here.

The latest in Patchstack Weekly

Looks like your browser is blocking our support chat widget. Turn off adblockers and reload the page.