[kwlug-disc] npm leak via April's github entry
Mikalai Birukou
mb at 3nsoft.com
Fri May 27 07:08:40 EDT 2022
You might have received an email from npm.
Their blog https://github.blog/2022-05-26-npm-security-update-oauth-tokens/
I just want to note (focus on) couple of things.
Quote from their email:
"""
* What information was involved? *
Your npm username, password hash, and email address in a 2015 npm
archive of user information from a skimdb.npmjs.com backup.
"""
I guess, it should read as "What info could have been stolen?".
Reminder not to reuse password, and use pass https://kwlug.org/node/1287
or other machine-helping-you methods for keeping unique passwords/tokens.
Quote from the blog post section "What happened":
"""
Using their initial foothold of OAuth user tokens for GitHub.com, the
actor was able to exfiltrate a set of private npm repositories, some of
which included secrets such as AWS access keys.
Using one of these AWS access keys, the actor was able to gain access to
npm’s AWS infrastructure.
"""
I wonder whether even guys at npm have put token directly into committed
code, or if it was copied from "proper storage of secrets" in github.
(Note: gitlab has CI secrets-sorta thing, kept in repo setting, injected
via environment variables when ci is run.)
I appreciate single click deployments. Can't imagine life without them,
and with only one click the rest of the team is doing the "last but
important" step, which is awesome.
But I have the following second thought: some friction might be needed
in a form of click and paste token for the deployment op. It adds a
burden to have a token just for a particular op, key from a garden's
corner instead of the whole kingdom. And it adds "and paste" part on the
last step. Am I overly paranoid?
Is there another better approach to keep less access capabilities on ci
infrastructure?
Meta question: is it reasonable to question degree of paranoid-ness
during or right after leak/hack?
More information about the kwlug-disc
mailing list