Security Expert Nabs Expired Domain for a Popular NPM Library's Email Address

'Security consultant Lance Vick recently acquired the expired domain used by the maintainer of a widely used NPM package,' reports the Register, 'to remind the JavaScript community that the NPM Registry still hasn't implemented adequate security.'

'I just noticed 'foreach' on NPM is controlled by a single maintainer,' wrote Vick in a Twitter post on Monday. 'I also noticed they let their domain expire, so I bought it before someone else did. I now control 'foreach' on npm, and the 36,826 projects that depend on it.'

That's not quite the full story — he probably could have taken control but didn't. Vick acquired the lapsed domain that had been used by the maintainer to create an NPM account and is associated with the 'foreach' package on NPM. But he said he didn't follow through with resetting the password on the email account tied to the 'foreach' package, which is fetched nearly six million times a week. In an email to the Register, Vick explained... 'I did not log into the account, as again, that crosses a line. I just sent a password reset email and bailed.

'Regardless of how much control I have over this particular package, which is unclear, NPM admits this particular expired domain problem is a known issue, citing this 2021 [research paper] which says, 'We also found 2,818 maintainer email addresses associated with expired domains, allowing an attacker to hijack 8,494 packages by taking over the NPM accounts.' In other words, anyone poking around is going to find accounts easy to take over in this way. I was not lucky or special.' His point, which he has been trying for several years to communicate to those overseeing NPM — a part of GitHub since March 2020 — is that taking over the NPM account of a popular project to conduct a software supply chain attack continues to be too easy.
Part of the problem is that JavaScript developers often use packages that implement simple functions that are either already built into the language, like forEach, or ought to be crafted manually to avoid yet another dependency, like left-pad (now built-in as padStart). These trivial packages get incorporated into other packages, which may in turn become dependencies in different packages, thereby making the compromise of something like 'foreach' a potentially far-reaching security incident.

But Vick argues that with so many upstream attack vectors, 'We are all just trusting strangers on the internet to give us good candy from their truck,' according to the Register. Their article points out that on Tuesday GitHub launched a beta test of improved 2FA security for all its NPM accounts — which Vick calls 'a huge win... [T]hat is the best way to protect accounts. We in the security community have been demanding this for years.'

But he's still worried about the possibility of email addresses with weak two-factor authentication or compromised NPM employees, and would like to see NPM implement cryptographic signatures for code. 'I am talking with a member of their team tomorrow and we will see where this goes.'

Read more of this story at Slashdot.