In 2020 Microsoft’s GitHub acquired NPM (makers of the default package manager for Node.js). The company’s web page boasts that npm “is a critical part of the JavaScript community and helps support one of the largest developer ecosystems in the world.”
But now BleepingComputer reports on two security flaws found (and remediated) in its software registry. Names of private npm packages on npmjs.com’s ‘replica’ server (consumed by third-party services) were leaked — but in addition, a second flaw could’ve allowed attackers “to publish new versions of any existing npm package that they do not own or have rights to, due to improper authorization checks.”
In a blog post this week GitHub’s chief security officer explained the details:
During maintenance on the database that powers the public npm replica at replicate.npmjs.com, records were created that could expose the names of private packages. This briefly allowed consumers of replicate.npmjs.com to potentially identify the