Incident report: npm, Inc. operations incident of July 12, 2018
This summary is created by Generative AI and may differ from the actual content.
Overview
Early in the morning of July 12, an individual gained access to an npm publisher's account and used this access to publish an unauthorized update of a popular package. The update included malicious code that would have attempted to access the accounts of additional npm users by obtaining these accounts' access tokens. However, we have not found evidence that any tokens were actually obtained or used to access any npmjs.com account during this window.
Impact
We determined that access tokens for approximately 4,500 accounts could have been obtained before we acted to close this vulnerability.
Trigger
an individual gained access to an npm publisher's account and used this access to publish an unauthorized update of a popular package
Detection
npm has revoked every access token that had been created prior to 2:30 pm UTC (7:30 am California time) today.
Resolution
This measure requires every registered npm user to re-authenticate to npmjs.com and generate new access tokens, but it ensures that there is no way for this morning's vulnerability to persist or spread.
Root Cause
This morning's incident did not happen because of an npmjs.com breach, but because of a breach elsewhere that exposed a publisher's npm credentials.