The supply chain threat has been dubbed “Package Planting” by researchers from cloud security firm Aqua. Following responsible disclosure on February 10, the underlying issue was remediated by NPM on April 26.
“Up until recently, NPM allowed adding anyone as a maintainer of the package without notifying these users or getting their consent,” Aqua’s Yakir Kadkoda said in a report published Tuesday.
This effectively meant that an adversary could create malware-laced packages and assign them to trusted, popular maintainers without their knowledge.
images from Hacker News