Hello.
I’m forwarding to you my conversation with npm staff regarding security issue. It allows to escalate to root privilages of victim using either:
a) basic social engineering - convincing victim to run npm in attacker-controlled folder (eg. repository), including such innocent ones like “npm help” or “npm whoami”
b) low-privilage process with access to writing files
I believe that impact of this bug can be high, if someone is able to hijack well-positioned tutorial.
Michał Wadas
---------- Forwarded message ----------
Jon Lamendola (npm)
May 22, 12:19 PDT
Hello Michal,
We’re reviewing the impact of changing this behavior and still discussing internally how we might move forward. We understand that it’s a risk, but it is also a feature that people use, so we need to fully understand the consequences of making major changes to it before we do. Unfortunately, this can take some time to analyze.
In the meantime, you can alias npm to something like npm --onload-script=“” “$@” for a temporary workaround.
Thanks again for reporting this to us.
Michał Wadas
May 21, 07:05 PDT
Hi.
Is there any update on this?
Michał Wadas
Apr 26, 16:32 PDT
Just noticed - if attacker can control .npmrc (either by writing it from low-privilage script or tricking user into using sudo npm in infected folder), he can set user flag in .npmrc too.
Jon Lamendola (npm)
Apr 26, 11:36 PDT
Hello Michal,
Thanks for reporting this to us. I agree, this is a legitimate concern, and I will pass this on to the npm CLI team for discussion.
Michał Wadas
Apr 26, 09:54 PDT
Source of issue:
I have pin-pointed it to line 236 in lib/npm.js file in master tree.
Attack scenario:
Proposed actions:
These actions should limit scope of attack.
Quick survey in group of Polish programmer showed that around ~30% of npm users use sudo npm
All versions of npm between 3.10 and 6.0 are confirmed to be vulnerable.
Thanks for your attention,
Michał Wadas
Attacker can reliably run arbitrary code with user privilages if he is able to write to .npmrc.
If user use “sudo npm” in folder with malicious .npmrc, attacker can run arbitrary code with root privilages.