Last week, the npm registry had an operations incident that caused a number of highly depended on packages, such as require-from-string,
to become unavailable. While the incident was relatively straightforward to solve, it uncovered a major security vulnerability that could have been exploited to inject malicious code in projects using npm.
According to the official report, the root cause of the incident was the mistaken decision to remove the user named "floatdrop" and make all of their packages undiscoverable and blocked. This decision was driven by the publication of a package containing spam that also included the README for floatdrop’s legitimate package timed-out
. Due to the matching READMEs, npm’s anti-spam system flagged floatdrop as associated to the spammer, which later led to the removal of the user and all of their packages.
The npm staff was quick to discover that floatdrop was indeed a legitimate user and that some of their packages were highly used, and acted promptly to restore them all. In the short time required for this, though, a number of packages with the same name as those removed had been published and installed an unspecified number of times.
While the npm staff confirmed that all of those replacement packages were not malicious, this kind of incident could have been exploited to inject malicious code in npm users’ projects. It is important to notice that npm does have indeed a policy in place to prevent packages to be deleted later than 24 hours after their publication with the aim to make it impossible to reuse their names, but this policy was not previously applied to packages deleted for spam. This was based on the rationale that spammers should not be able to prevent legitimate names from being used.
In response to this incident, the npm staff took a number of steps, the most important of which was to implement a 24-hour cooldown on republication of any deleted package name, including packages containing spam content. This effectively makes it much harder to inject malicious code by replacing a deleted package, but requires the npm staff to act within a 24-hour window to restore any legitimate package name before someone attempts to reuse it.
Additionally, the npm staff will establish a number of guidelines to make it more unlikely that legitimare packages are mistakenly removed. You can read more about them in the original post.