Microsoft and North Carolina State University collaborated on an academic research project last year in which researchers found that thousands of JavaScript developers were using email addresses with expired domains as their npm accounts by analyzing the metadata of about 1.63 million libraries uploaded to Node Package Manager (npm), making it easy for their projects hosted on npm to be hijacked.

The email addresses of all users on npm are allegedly publicly available. The email addresses are returned by requesting a profile page.

sobyte

npm is the largest repository of JavaScript packages. The researchers found that 2818 project maintainers’ accounts were still using email addresses with expired domains, and some of the expired domains were being sold on sites such as GoDaddy. The researchers therefore believe that an attacker could reset maintainers’ account passwords and take over npm packages by purchasing expired domains and then re-registering those maintainers’ addresses on mail servers.

The following image shows a developer trying to take over the ajv-formats package (maintained by additiveamateur) and successfully “hijacking” it.

  1. the first step is to get the registered email address of the account: carlo[@]machina.bio

  2. purchase the expired domain name: machina.bio

    machina.bio

  3. After taking over the email address of the account through the domain name, try to reset the password.

    npm

    This step encountered some problems, but the developer was able to resolve them by contacting technical support.

    sobyte

    sobyt

Finally, the password of the ajv-formats package maintainer’s account was successfully reset

sobyte

sobyte

Log in and take over the project successfully.

sobyte

sobyte

The researchers said they sent their findings to the npm security team before the study was released, and while there was no feedback from the other side, before the study was officially released, npm announced of plans to gradually enforce 2FA (two-factor authentication) for developer accounts.