Researchers exploits “mixed-toc” NPM package

Share post:

A group of researchers have hijacked a popular NPM package with millions of downloads. NPM (Node Package Manager) is a library and registry for JavaScript software packages, and is relied on by over 11 million developers worldwide.

The package in question is called “mixed-toc”, and is used to generate tables of contents for Markdown documents. The vulnerability affected version 1.2.2 of the package and allowed attackers to hijack the maintainers’ accounts and publish malicious code to the NPM registry.

According to Illustria, the vulnerability affected over 1,000 packages that depended on the “mixed-toc” package, potentially leaving millions of users exposed to the risk of attack. Illustria urged users to update to the latest version of the package (version 1.2.3) and advised NPM users to stay vigilant against security vulnerabilities in popular packages.

The researchers were able to steal tokens and bypass two-factor authentication by exploiting a vulnerability in the package’s code. This allowed them to take control of the package and distribute a malicious version of it. The malicious version contained a backdoor that would allow the attacker to take control of the user’s system and grant a threat actor access to the package’s associated GitHub account, effectively making it possible to publish trojanized versions to the npm registry that can be weaponized to conduct supply chain attacks at scale.

The researchers responsible for the discovery of the vulnerability are from a company called Illustria. They reported the vulnerability to the package’s maintainers, who were able to quickly fix the issue and issue a new, secure version of the package.

“The package can be taken over by recovering an expired domain name for one of its maintainers and resetting the password,” Illustria said in a report. This happened after Illustria first purchased the domain for $8.46.

Even though npm has a mechanism that limits user accounts to only one active email per account, Illustria added that the package’s associated GitHub account is recoverable. A CI/CD automation token (used in automatically publishing packages) can be extracted from the project’s pipeline and used to publish new malicious packages on behalf of the maintainer account with access to the GitHub account.

The sources for this piece include an article in TheHackerNews.

SUBSCRIBE NOW

Related articles

DOGE’s Teen Hacker Stirs Concern Over Musk Team’s Access to Federal Databases

A 19-year-old named Edward “Big Balls” Coristine has raised red flags after Wired revealed he holds a key...

Deep Seek and Open Source AI – Without the Hype: Discussion with Robert Falzon, Head of Engineering, Check Point

DeepSeek AI is shaking up the cybersecurity world—are we prepared for the risks? Join host Jim Love and...

Researchers Jailbreak DeepSeek AI, Expose System Prompt and Raise Security Concerns

Security researchers at Wallarm have successfully jailbroken DeepSeek, a recently released open-source AI model from China. The jailbreak...

New SMS Phishing Scam Targets U.S. Toll Road Users with Fake Payment Alerts

Brian Krebs of the Krebs on Security blog did a big piece leading with how residents across the...

Become a member

New, Relevant Tech Stories. Our article selection is done by industry professionals. Our writers summarize them to give you the key takeaways