Almost 1/3 of Top npm Accounts Aren’t Protected with 2FA – InApps 2022

Main Contents:

Almost 1/3 of Top npm Accounts Aren’t Protected with 2FA – InApps is an article under the topic Software Development Many of you are most interested in today !! Today, let’s InApps.net learn Almost 1/3 of Top npm Accounts Aren’t Protected with 2FA – InApps in today’s post !

Hard to Secure

By its very nature, npm is a horror show to secure. Npm enables you to use external libraries and supports dependency management. Combined this makes it all too easy to call third-party libraries and dependencies for your project. In addition, while in theory npm packages include everything needed for their functionality all too often, many packages download additional resources upon installation. Sure, you checked the specific program for security problems but what about all its dependencies and its downloads?

Can you say “dependency hell?” I can.

A 2019 study found that on average, npm packages implicitly trust 79 third-party packages and 39 maintainers. Additionally, popular packages often influence over 100,000 other packages. This makes them prime attack targets.

Only 100 Projects

Now, npm finally adopted 2FA for its top 100 projects, but that’s nothing like enough. And remember all those dependencies? If only one of those is compromised, thousands of applications can be transformed into cryptominers. That’s not just an idle worry. It’s already happened. UA-Parser-JS, an npm package with millions of weekly downloads, which was briefly compromised with crypto mining and password-exfiltration malware.

Two-factor authentication is also planned for high-impact packages. That is, packages with more than 1 million weekly downloads or 500 dependencies. That’s a good start, but again, it’s not enough. All npm accounts need 2FA protection.

Minimize the Attack Surface

Now, 2FA isn’t perfect. Far from it! And, we also know that many developers hate using 2FA, but it’s so, so much better than the alternative.

Consider though if you were a hacker how much easier it would be to attack someone’s account who wasn’t using 2FA? Guess what? It turns out that, until recently, you could automatically find out whether someone had 2FA enabled. If your npm projects are widely used, you might as well put a target on your back.

So it is that Aqua Security strongly suggests as developers we minimize our attack surfaces and make account takeover more challenging for attackers. “Otherwise, the results can be damaging to the whole community.” In particular, “we strongly encourage developers who contribute to open source and create packages to enable 2FA on all their accounts.”

To that, I can only say, “Amen!”

InApps is a wholly owned subsidiary of Insight Partners, an investor in the following companies mentioned in this article: Aqua Security.

Featured image via Pixabay.

Source: InApps.net

Rate this post

Phu Nguyen

As a Senior Tech Enthusiast, I bring a decade of experience to the realm of tech writing, blending deep industry knowledge with a passion for storytelling. With expertise in software development to emerging tech trends like AI and IoT—my articles not only inform but also inspire. My journey in tech writing has been marked by a commitment to accuracy, clarity, and engaging storytelling, making me a trusted voice in the tech community.