GitHub took only 6 hours to fix a long-standing vulnerability in the NPM JavaScript registry

GitHub said today that the team has fixed a long-standing issue in the NPM (Node Package Manager) JavaScript registry that will allow attackers to update any software package without proper authorization. Chief Security Officer Mike Hanley released this issue yesterday. This issue was reported by security researchers Kajetan Grzybowski and Maciej Piechota on November 2 and was fixed within 6 hours.

This impressive speed is in sharp contrast to the length of time the vulnerability has existed, and it is said to be longer than the time frame for which we have available telemetry data, dating back to September 2020. The vulnerability is based on a familiar insecure model in which the system correctly authenticates a user, but then allows access beyond the user’s permissions.

Join RealMi Central on Telegram, Facebook & Twitter

In this case, the NPM service correctly verifies that a user is authorized to update a package, but “the service that updates the registry data at the bottom level decides which package to publish based on the content of the uploaded package file.

NPM is an important resource for millions of developers; for example, one of the most popular software packages is lodash, which is a JavaScript tool library that is downloaded about 7 million times a day. The consequences of a malicious version of such a software package would be severe, which is why Hanley added, “We can confidently say that this vulnerability has not been maliciously exploited since at least September 2020.

Leave a Comment