Many npm accounts use email addresses from domains that have expired

A research project by academics found that thousands upon thousands of JavaScript developers use an email address from an expired domain to access their npm accounts. This leaves their projects vulnerable to easy hijacking.

Researchers from Microsoft and North Caroline State University conducted the study last year and analysed the metadata of 1,630.101 libraries uploaded to Node package Manager (npm). is the most popular repository for JavaScript libraries, and also the largest package repository online.

2,818 developers are exposed to account hijacks

Researchers discovered that 2,818 project managers were still using email addresses for accounts with expired domains, some of them purchased on sites such as GoDaddy.

The team suggested that attackers could purchase these domains, reregister the address of the maintainer on their own email servers and reset the account password to the maintainer and take control of his npm package.

This attack would work because the two-factor authentication (2FA), which is required by the npm portal, does not apply to account owners. The attacker would then be able to alter packages with no other hindrance once they reset their password.

The research team found that the 2,818 maintainer account managed 8,494 packages. This average had 2.43 dependents. It means that any attack could also affect tens or thousands of downstream projects.

These account hijacks could be detected by account owners. However, researchers pointed out that many accounts and npm libraries are either abandoned (44.3%) or unmaintained (58.7%). There is a high chance that attackers could carry out their attacks even though the maintainers may not be aware.

The npm team seems to have responded to these findings

Although the research team stated that they had notified the security team at npm of their findings, they did not specify how the team responded. Emails sent to GitHub (which owns npm) were not returned prior to publication.

It is important to note that npm had announced plans for slowly enforcing 2FA on developer accounts days before this study was published. This process was to be completed in multiple stages. The Top 100 maintainer accounts were required to enroll in 2FA at this month.

Further details about the study can be found in the ” What Are Weak Links in npm Supply Chain?” research document. Below are some other findings from the research team:

  • 2.2% (33.3,249) of packages used scripts to install, which can be used to execute malicious commands. This is against npm’s best security practices.
  • The top 1% packages (14.941) had an average 32.4 maintainers per pack, which opens the door to attacks via inactive or inattentive programmers.
  • There were 40 contributors to 389 packages for each maintainer. This opens the possibility of malicious code being inserted or floods a project with contributions.
  • The top 1% maintainers have an average of 180.3 packages. This means that developers may be overwhelmed or lack the time or resources to review and maintain package changes.