Thousands of JavaScript developers are utilising an email address with an expired domain for their npm accounts, leaving their projects vulnerable to easy hijacking, according to an academic study.

Researchers from Microsoft and North Carolina State University studied the metadata of 1,630,101 libraries posted to Node Package Manager (npm), the de-facto repository for JavaScript libraries and the internet’s largest package repository, in a study published last year.

Thousands of JavaScript developers are utilising an email address with an expired domain for their npm accounts, leaving their projects vulnerable to easy hijacking, according to an academic study.

Researchers from Microsoft and North Carolina State University studied the metadata of 1,630,101 libraries posted to Node Package Manager (npm), the de-facto repository for JavaScript libraries and the internet’s largest package repository, in a study published last year.

Because the npm site does not require two-factor authentication (2FA) for account owners, an attack like this would work because the attacker would be free to change packages without any further restrictions once the owner’s password was changed.

The 2,818 maintainer accounts maintained 8,494 packages with an average of 2.43 direct dependents, according to the research team, implying that any attack would also affect tens of thousands of other downstream projects.

Account hijackings like this could be detected by account owners, but researchers also pointed out that many npm libraries and accounts are either unmaintained (58.7%) or abandoned (44.3%), implying that attackers could carry out their attacks without the maintainers ever noticing.

Because the npm site does not require two-factor authentication (2FA) for account owners, an attack like this would work because the attacker would be free to change packages without any further restrictions once the owner’s password was changed.

The 2,818 maintainer accounts maintained 8,494 packages with an average of 2.43 direct dependents, according to the research team, implying that any attack would also affect tens of thousands of other downstream projects.

Account hijackings like this could be detected by account owners, but researchers also pointed out that many npm libraries and accounts are either unmaintained (58.7%) or abandoned (44.3%), implying that attackers could carry out their attacks without the maintainers ever noticing.

The research paper “What are Weak Links in the npm Supply Chain?” has more information about the study. The following are some of the other results of the research team:

Install scripts were utilised in 2.2 percent (33,249) of packages, which might be exploited to run malicious commands and is against npm recommended security practises.
The top 1% of packages (14,941) had an average of 32.4 maintainers per package, allowing for assaults using inactive or inattentive developers’ accounts.
There were 40 contributors for every maintainer in 389 packages, allowing for the unintentional insertion of security flaws or the flood of contributions to smuggle malicious code into a project.
The top 1% of maintainers possess an average of 180.3 packages, with 4,010 direct dependencies, implying that some engineers may be overworked or unable to adequately maintain or approve package updates.

Chat WhatsApp
+971525115498