The logical flaw in the NPM registry enables to add anyone as maintainer

The bug allows attackers to distribute malware as legitimate bundles

Malicious packages can be associated with legitimate developers due to the logical bug

The vulnerability in NPM enabled authors of the malicious packages to add any user as the maintainer to the packages. Any number of users can be added to boost the trust in these malicious packages.^[1] The GitHub-owned repository of the NodeJS components now fixed the flaw after multiple reports and security company notices.^[2]

The logical flaw was disclosed in the default package manager for the node.js JavaScript runtime environment allows malicious actors to pass off the rogue libraries as legitimate and trick developers into cluelessly installing them. The supply chain threat has been named Package Planting by Aqua researchers.^[3]

Up until recently, npm allowed adding anyone as a maintainer of the package without notifying these users or getting their consent

They were the ones who disclosed the issue on February 10. It was remediated by the NPM on April 26. There were a lot of flaws already.^[4] The step will not notify the person or company that gets added as the maintainer of this malicious package. The user also is not required to approve the move.

All actions of the malicious actor remain silent

These malicious packages can contain various materials and create problems. The worst thing about the flaw that allows adding maintainers is the fact that the added party has no idea it happens. Also, malicious actors can also add people or companies and remove themselves from the list of maintainers. So the only maintainer of the illicit package has no idea about this relation to the malicious operations.

This is how criminals remove responsibilities and can lend credibility to their malicious components by associating legitimate users and companies with their products. The bug makes it possible to add credible developers, popular companies, and people as maintainers. This is the way to scam other developers into installing their packages without raising any suspicion.

The research team even shows the example of the operation and creates the particular package. Then adds Facebook and NPM to the list of the particular projects and removes the original creator. Anyone can see the listing and fall for the trick once the maintainers like this are indicated.

Major consequences

Unfortunately, this is more than a security issue. The supply chain attack^[5] like this triggers significant issues and is dangerous for many reasons. It creates a false sense of trust for the other developers and creates damage to the reputation of legitimate companies and package maintainers.

Researchers stress that this is a security flaw, but the technique can be abused by adversaries to particularly tarnish the reputation of well-known and respected developers on purpose. These future maintainers added to the list can be specifically picked by the attacker and affect the reputation besides improving their goals and ensuring the popularity of the package.

Opportunistic cybercriminals can achieve more with flaws like this package planting. These vulnerabilities provide the opportunity to gain money and spread their malicious packages while affecting enemies and more popular and huge companies. This is achievable without bugs like this one, so these techniques only further empower threat actors.

GitHub fixed the flaw and introduced particular steps like inviting the new maintainer to your NPM package by asking them to approve the request before they are added to the particular project. There is no way to replicate the opportunity anymore, so other threat actors should not try to leverage the technique.