Information about private Git repositories leaks via npm's public replication stream for a whole week

Jul 8, 2015 08:12 GMT  ·  By

npm, the package manager for Node.js applications, has fixed a security loophole that leaked critical information about private packages.

npm as a service can be confused with many things. This is because npm can be interpreted as the company that acts as a central hub for the npm Node.js command-line utility of the same name.

We are talking about the company in this article, which, besides the free Node.js modules it delivers through its servers to millions of developers, also provides access to "private modules," which it serves through the same npm command-line utility used for public Node.js packages.

This is a premium offering and helps the company foot the server bill at the end of the day for its free service, and that's to act as a package manager for the Node.js community.

On July 2, the npm team was informed by two of its customers that data from its private modules was leaking through its external replication stream used for public repositories.

This special replication stream allows npm to deliver modules beyond China's Great Firewall, along with various other tools created by the community, helping take the load off some of the main servers.

It took the team 37 minutes to fix the issue, but unfortunately, the leak was active and undetected since June 26.

Information on private npm modules leaks undetected for a whole week

As the npm team details the incident, the problem arose because they use the same server to send out metadata for public and private modules, filtering the public feed for private information.

Because at one point an older Ansible script was accidentally executed, the filtering system for private data stopped, and sensitive private information leaked on the server's replication endpoint.

This means that anyone, if interested and aware, could have easily read information about private packages, getting access to their names, package versions, publication dates, version requirements, SHA sums, URL to private Git repos, and README files.

While most of this information is useless, and private Git repos checked for authorization before delivering tarballs (downloads), the most worrisome issue was the README files, which were served in raw.

These files, in most cases, contain sensitive information, which can detail what the code is for, some of its inner-workings, who uses it, and sometimes can give code samples, which attackers can use.

Since private npm packages are regularly used by companies developing applications for internal use, someone could have easily found out what these companies are working on, and could have used the README information to plan future attacks.

The positive side is that no other details like user passwords, billing information, and package tarballs were leaked.

To prevent this from happening again, the npm team plans to move the replication process for private modules to another network zone, forbid manual configuration changes to the replication process, and also monitor replication endpoints for private data in the future.