Security / Software Development

Almost 1/3 of Top npm Accounts Aren’t Protected with 2FA

7 Apr 2022 12:32pm, by

The npm JavaScript package manager and default package manager for the JavaScript runtime environment Node.js is insanely popular. It’s the largest software registry in the world. But its security has nothing to write home about. A recent study by Aqua Security‘s Team Nautilus found that 32% of the top 35 npm packages are at risk of account takeover because their dependencies’ owners haven’t properly employed two-factor authentication (2FA).

We need this like we need a hole in the head.

Hard to Secure

By its very nature, npm is a horror show to secure. Npm enables you to use external libraries and supports dependency management. Combined this makes it all too easy to call third-party libraries and dependencies for your project. In addition, while in theory npm packages include everything needed for their functionality all too often, many packages download additional resources upon installation. Sure, you checked the specific program for security problems but what about all its dependencies and its downloads?

Can you say “dependency hell?” I can.

A 2019 study found that on average, npm packages implicitly trust 79 third-party packages and 39 maintainers. Additionally, popular packages often influence over 100,000 other packages. This makes them prime attack targets.

Only 100 Projects

Now, npm finally adopted 2FA for its top 100 projects, but that’s nothing like enough. And remember all those dependencies? If only one of those is compromised, thousands of applications can be transformed into cryptominers. That’s not just an idle worry. It’s already happened. UA-Parser-JS, an npm package with millions of weekly downloads, which was briefly compromised with crypto mining and password-exfiltration malware.

Two-factor authentication is also planned for high-impact packages. That is, packages with more than 1 million weekly downloads or 500 dependencies. That’s a good start, but again, it’s not enough. All npm accounts need 2FA protection.

Minimize the Attack Surface

Now, 2FA isn’t perfect. Far from it! And, we also know that many developers hate using 2FA, but it’s so, so much better than the alternative.

Consider though if you were a hacker how much easier it would be to attack someone’s account who wasn’t using 2FA? Guess what? It turns out that, until recently, you could automatically find out whether someone had 2FA enabled. If your npm projects are widely used, you might as well put a target on your back.

So it is that Aqua Security strongly suggests as developers we minimize our attack surfaces and make account takeover more challenging for attackers. “Otherwise, the results can be damaging to the whole community.” In particular, “we strongly encourage developers who contribute to open source and create packages to enable 2FA on all their accounts.”

To that, I can only say, “Amen!”

The New Stack is a wholly owned subsidiary of Insight Partners, an investor in the following companies mentioned in this article: Aqua Security.

Featured image via Pixabay.