Credential re-use: NPM JS revokes 4500 access tokens


A project maintainer re-used credentials and thus allowed attackers to upload Malware to software repo NPM JS. 4500 users now need to re-authenticate.

The package manager NPM JS allowed attackers to upload malicious code after they had gained access to a project account via a re-used password - presumably they wanted to spy on other users. The operators have responded to the reports about compromised credentials by revoking all access tokens issued before 2:30 pm (UTC) on 12 July 2018. All 4500 affected users of the service need to re-authenticate.

The incident affected the account of ESLint, a Javascript-package for static code analysis. NPM JS is a package manager for Javascript libraries used by many organizations. These include popular libraries and frameworks such as jQuery, Bootstrap, React and Angular as well as the web application framework Ember. A successful attack on a package manager has potentially far-reaching consequences, because the malicious code is then distributed to many computers via a trusted channel. If developer libraries are also infected, the malware can be inserted into end user programs, as happened with the manipulated Xcode version for the development of iOS apps.

With the compromised account the following packages were released through NPM: eslint-scope@3.7, babel-eslint and webpack. The affected packages have since been withdrawn from NPM JS. They contain malicious code that was probably intended to spy on other NPM users. After an initial analysis of NPM, access tokens from around 4,500 accounts could be spied on before the error was found and corrected. A detailed forensic analysis should clarify whether other accounts are affected or whether code has been smuggled into projects elsewhere in an irregular manner.

No data leakage at NPM

The creators of the project claim that the incident was not caused by a data leak at NPM itself. Rather, the access data of one account had become public elsewhere and were subsequently misused. ESLint itself claims, that the responsible project maintainer used his password several times on different platforms and that it leaked from there. The project encourages all account owners to use two-factor authentication in the future to avoid similar problems.

"Two-factor authentication is one of the most important security measures - for private individuals, but especially in a corporate environment," says G DATA Security Evangelist Tim Berghoff. "Even if login credentials have been spied on, access is not possible in this case. Especially important infrastructure such as a package manager should be particularly well secured." Two-factor authentication can be implemented easily using smartphone apps. Alternatively, hardware-based solutions such as USB tokens can be used, which are connected to the computer for login.