Compromising Angular via expired NPM publisher email domains

I don&#x27;t like GitHub&#x27;s security screener dismissing this report because of the &quot;social engineering&quot; aspect. There is a real problem here; it&#x27;s easy to imagine this disclosure leading to another major OSS supply chain incident. I hope GitHub security folks are taking this more seriously than indicated by the response to the researcher.<p>&gt; Their response seemed to indicate that the account was flagged due to previous issues sending emails, which would be expected with the domain having expired.<p>It&#x27;s entirely possible that the domain could have been re-registered long before their next attempt to send an email to it.<p>I wonder if it&#x27;s safer (and plausible) to run a daily whois audit job for all maintainer email domains and block anything that enters the redemptionPeriod status?

It&#x27;s a shame Github Support haven&#x27;t (AFAIK) expanded on what they mean by &quot;This is something we’ve been tracking internally and have mitigations in place for.”<p>This problem is likely common to every public registry. Even if the registry doesn&#x27;t publish e-mail addresses, it&#x27;s often easy to work them out from other sources, so attackers can build up a list of targets relatively easily.<p>It seems like a hard one to solve for well. Mostly the registry will only know an author by their e-mail account, so if that&#x27;s compromised it could be hard to tell the difference between the author genuinely losing their creds and an attacker who has taken over the domain.

&gt; Developers using custom domains for their email address should seriously consider the risks they are taking on by using the email for their online accounts. If this domain expires or is hijacked, where does that leave them?<p>This high level point really irritates me. What if your let your domain expire? What if your domain is hijacked? This applies to EVERYONE doing ANYTHING online with their own domain name - aka every business. What if you let your email account get hacked? What if you stop logging into your gmail account and they deactivate it for inactivity?<p>At the end of the day there are a hundred ways your accounts can have issues, if you don&#x27;t care. If you don&#x27;t pay attention. If you don&#x27;t set up the proper alerting. Custom domains are not magically worse than using a gmail account.<p>As a normal, non-business, person... The longest running domain I&#x27;ve had was registered in 2005. It is still setup to receive email and works reliably, as it has done so for the last 17 years. Yes, it&#x27;s been through several different email services in that time - but because I care about it I make sure it keeps working.

&gt; This raises a point that I don’t think many developers consider. By registering and using a custom domain as their main email address, they implicitly give that domain and their TLD complete control over most of their online accounts.<p>That’s a feature, not a bug. This is what allows you to take full ownership of your online identity.<p>If you use @gmail.com or another address where you <i>rent</i> the address-space, someone else can at a random whim completely erase or compromise <i>all your things and accounts everywhere</i>.<p>Is the author here really pitching that as a good thing(tm)?

Is there a good reason for making NPM profile emails public? I have an unique email address on NPM, and it receives a considerable amount of phishing emails that target NPM and Mailgun.

The NPM registry&#x27;s API documentation seems to be wrong, or deliberately semi-vague, as well. It states (emphasis mine)<p>&gt; maintainers: and array of objects containing author objects <i>as listed in package.json</i><p>&gt; author: object with name, email, and or url of author <i>as listed in package.json</i><p>However, the email address against the user&#x27;s profile gets listed even if your package.json does not contain an email address.<p>Example: <a href="https:&#x2F;&#x2F;registry.npmjs.org&#x2F;leftpad&#x2F;" rel="nofollow">https:&#x2F;&#x2F;registry.npmjs.org&#x2F;leftpad&#x2F;</a>

A tangential issue related to this since Github is involved: Github pages.<p>If you point a DNS entry to a Github page and then delete the page without deleting the entry on you DNS table someone can create a new page with the same name and hijack your DNS entry for malicious purposes.<p>I&#x27;ve written to Github already about this, if they want to let you point your DNS to the page they should give you a unique entry to point to, so that if it is recreated in the future your entry will not point to the new page. Not asking you to point to the public page name that can be taken over.<p>They never replied...

Identity management is a very hard problem a <i>lot</i> of systems identify people by, or anchor trust to an email address, that <i>mostly</i> works, but has some very gnarly edges[0]. I don&#x27;t think a private company can solve this (the company itself becomes a point of failure, what if they go out of business, or are acquired and change line of business?)<p>I really wish the USPS would get into managing digital identity, or at the very least, attack the lowest of hanging fruits: assign everyone[1] an email address that won&#x27;t suddenly be closed for ToS violation on a domain that won&#x27;t expire in anyone&#x27;s lifetime. Lost your password&#x2F;authenticator? Walk into a post office with your government issued identity.<p>Cleverer people than I am should be able to figure out how to create anonymous identities from your official one and have them linked unidirectionally, i.e. Alice can voluntarily prove she owns&#x2F;created the Alana identity, but it&#x27;s otherwise computationally impossible&#x2F;expensive to do the reverse (unmask Alice from just the Alana pseudo ID)<p>0. Losing access to a mailbox means losing access to account recovery functionality, and mailbox takeovers result in TFA.<p>1. This is US-centric, but hopefully an international standard may be set, so that governments or delegated authorities are responsible for basic online identity; just like the way TLD&#x27;s are managed

I just so happen to have a dataset of every single email address in the NPM registry (and any publicly accessible email addresses for associated GitHub repo users). It wouldn&#x27;t take long for me to stream those records using that domain lookup command to discover which were no longer registered. I wonder if that would have any intrinsic value to the community at large?

I have been writing for years that package managers are a big security risk, and if you’re writing a platform that’s going to be used everywhere, you should import code by hand and verify what has changed. Or just write it yourself. Yes, seriously. Learn what your code base does. If your library is used N times then every hour you spend saves N people-hours.<p>It’s just like using Slack: you think you’re saving time because of the immediacy, but wind up paying the price down the line because 1 person can save N people time with threaded asynchronous stuff.<p>Others have said this as well: <a href="https:&#x2F;&#x2F;news.ycombinator.com&#x2F;item?id=15272394" rel="nofollow">https:&#x2F;&#x2F;news.ycombinator.com&#x2F;item?id=15272394</a>

This is really a story about the weakness of digital identity. Stringing together identities proofed to IAL1 yields an IAL1 identity. Authenticating to AAL2 can never change that

The fault is not with the domains or the publishers, but with the authentication used and not looking ahead beyond the &#x27;happy path&#x27; of setting things up and making them work initially. That&#x27;s the easy part. The hard part is to think through to the long term consequences of all those choices.

What about checking the whois expiration of every email domain and locking out all the expired ones?

Entirely avoidable if people could buy domains for 100years, paid up-front.

I have 2FA for my npm account, does 2FA prevent this kind of attack?

Would be interesting to draw up a list of package registries and whether they require MFA…