Researchers recently took advantage of a widely-used NPM package with millions of downloads.

It has been discovered that a popular npm package with over 3.5 million weekly downloads is at risk of an account takeover attack, setting users up for potential security breaches! "The package can be taken over by recovering an expired domain name for one of its maintainers and resetting the password," software supply chain security company Illustria said in a report. Although npm's security precautions only permit one active email address per profile, the Israeli organization found that it was capable of resetting GitHub password through the recovered domain.

In summary, this attack provides a malicious actor with the capability of gaining access to the package's GitHub account. This enables them to distribute dangerous versions on the npm registry which can be used for large-scale supply chain attacks. Unlock the potential of your repository by taking advantage of a GitHub Action that is configured to instantly publish packages upon code changes. "Even though the maintainer's npm user account is properly configured with [two-factor authentication], this automation token bypasses it," Bogdan Kortnov, co-founder and CTO of Illustria, said.

Although the exact module remains unannounced, Illustria contacted its maintainer and enforced precautionary steps in order to block any possible takeover. Unfortunately, this isn't a one-time incident; malicious actors have targeted developer accounts for several years now - most notably in 2022 with ctx Python package's domain being seized and replaced by an unauthorized version. As such, it is essential that developers take all necessary measures to secure their accounts from potential threats.