1 min read

Thousands of npm Libraries Have Maintainers with Emails Hosted on Expired Domains

Silviu STAHIE

February 16, 2022

Promo Protect all your devices, without slowing them down.
Free 30-day trial
Thousands of npm Libraries Have Maintainers with Emails Hosted on Expired Domains

Joint research by North Carolina State University and Microsoft found that more than 2,800 maintainer email addresses were associated with expired domains, allowing attackers to hijack a total of 8,494 npm packages.

The npm JavaScript library encompasses 1.63 million packages, including many used in major projects. Its extended use makes it a prime target for criminals looking for a way in so they can compromise the supply chain and launch man-in-the-middle attacks.

One of the attacker's favorite tactics is to create new projects with names very similar to the original ones. These libraries, though, are compromised, offering attackers a way to take over systems and projects that might use them.

The new research sheds light on another problem: thousands of projects use email addresses hosted on expired emails domains. In theory, this could let attackers take over and control almost 8,500 npm packages.

"We propose six signals of security weaknesses in a software supply chain, such as the presence of install scripts, maintainer accounts associated with an expired email domain, and inactive packages with inactive maintainers," said the researchers.

The researchers also contacted GitHub and presented their findings, but the good news is that GitHub likely sensed this issue and took action. For now, 2FA has been enabled by default for the top 100 npm projects and, by the end of March, the same security measure will be taken for the rest. This means that emails hosted on expired domains won't be a big problem anymore.

The study also proposed several weak link signals, such as expired maintainers domains, installation scripts, unmaintained packages and a few others. These indicators would give npm packages a score, permitting developers down the line to quickly identify unsafe libraries.

tags


Author


Silviu STAHIE

Silviu is a seasoned writer who followed the technology world for almost two decades, covering topics ranging from software to hardware and everything in between.

View all posts

You might also like

Bookmarks


loader