Joint research by North Carolina State University and Microsoft found that more than 2,800 maintainer email addresses were associated with expired domains, allowing attackers to hijack a total of 8,494 npm packages.
The npm JavaScript library encompasses 1.63 million packages, including many used in major projects. Its extended use makes it a prime target for criminals looking for a way in so they can compromise the supply chain and launch man-in-the-middle attacks.
One of the attacker’s favorite tactics is to create new projects with names very similar to the original ones. These libraries, though, are compromised, offering attackers a way to take over systems and projects that might use them.
The new research sheds light on another problem: thousands of projects use email addresses hosted on expired emails domains. In theory, this could let attackers take over and control almost 8,500 npm packages.
“We propose six signals of security weaknesses in a software supply chain, such as the presence of install scripts, maintainer accounts associated with an expired email domain, and inactive packages with inactive maintainers,” said the researchers.
The researchers also contacted GitHub and presented their findings, but the good news is that GitHub likely sensed this issue and took action. For now, 2FA has been enabled by default for the top 100 npm projects and, by the end of March, the same security measure will be taken for the rest. This means that emails hosted on expired domains won’t be a big problem anymore.
The study also proposed several weak link signals, such as expired maintainers domains, installation scripts, unmaintained packages and a few others. These indicators would give npm packages a score, permitting developers down the line to quickly identify unsafe libraries.