npm Inc, the company that runs the npm package manager, has addressed the issue at the start of June by triggering password reset operations for all affected users.
Initially, there was a lot of confusion about npm Inc's actions, and many believed the organization might have been breached. It was only over the last weekend when we discovered the real reason behind the massive npm account password resets that took place at the start of the month.
Speaking to Bleeping Computer, the developer said he performed a series of checks for leaked passwords since May this year, and forwarded the results to npm Inc, who then opted to reset the passwords of all affected users.
Skovoroda's interest in exposing leaked passwords didn't come out of the blue. The developer has been warning npm users since 2015 when he first started noticing careless developers leaving passwords for their npm accounts in their code or other places.
"I was originally working on some other thing: a crude code scanner over all of npm packages to check how frequent and where are some Node.js APIs being used, for the needs of [Node.js] project," Skovoroda told Bleeping Computer in a private conversation about his initial 2015 scan.
"Back then, I noticed packaged credentials in some npm packages," he added. "That was [an] issue I reported to npm Inc over email back then."
The result of his initial report was that npm Inc added a feature to scan for user credentials in npm packages and revoke them.
"This [latest] check was started at the beginning of May on the Node.js collaborator summit [...] mostly in free time, with a tool to collect the published credentials from GitHub and check them against npm automatically," Skovoroda says.
The developer later improved his scanner to check if npm accounts used common passwords such as "123456," "password," or others; and later to check for cleartext passwords leaked in public breaches such as the ones from Adobe, Last.fm, and others.
"I was mostly doing this at a slow pace in my free time until the scan over leaked passwords started giving me lots of valid accounts," Skovoroda says, "I didn't expect that to happen originally."
When he finished, the developer says he forwarded the results of his scan to npm's team, who reset passwords for all affected accounts.
This automatic dependency management system means that when a developer loads npm package A, he also loads its dependencies, npm packages B, C, D, E, F, G, etc..
While Skovoroda discovered credentials that granted him direct publish access to only 13% of npm packages, through dependencies, an attacker would have been able to spread his malicious code to about 52% of the entire npm ecosystem.
Whenever the owner of an indirectly affected package rebuilt his project — for an update or bugfix release — he would have loaded the tainted npm packages into his project, and granted the attacker a means to reach his users.
Thanks to Skovoroda's forward thinking, npm Inc was alerted and has now implemented extra checks that will automatically ask users to change their passwords if they use simplistic or previously exposed credentials.
Below are some of the other results of Skovoroda's scan, some of which readers will find very interesting.
expresspackage has 13 million downloads/month atm. 13 users had more than 50 million downloads/month.
!to it at the end.
123456», 168 — «
123», 115 — «
Similarly, a team of researchers detailed the possibility of an npm worm that would also use npm dependencies to spread and infect other npm packages.
Image credits: npm, Inc., Bleeping Computer