How I hacked NPM
It’s all started when we encountered a problem with the installation of NPM packages. Maximum call stack exceeded.
Sometimes it just happens and you try hard, cache clean — force, rebuild, rm -r node_modules, you name it. Nothing helped and we were pretty frustrated, started tracing the root of the problem.
After a couple of hours, we found out that one of the packages we are using relies on dependency hbetts/parse-repository-url but it’s been deleted. This raised a red flag because as you may know after an affair when the author of left-pad package deleted it and caused problems to thousands of others packages including node and babel, NPM decided to turn off the ability to delete your published packages after 72hours after publishing.
We searched for the hbetts organization on NPM and we did not find any packages. We found that all the packages has been moved under hutson organization.
Now the fun begins. I decided that it would be nice to have the ability to bring hbetts back to life so I created organization under my account and it worked!
Then I tried to search for it again and all the packages magically appeared in a result, but the response of each package was still 404.
So I found the package on Gitlab, cloned and re-published it under this organization which I was not even able to create and it worked like a charm with one twist, I became the author of the package!
So I tried to do it with another package, and mate, it all worked ! These packages are currently used in multiple projects, including ours which is now working after republishing. I have ability to modify them and insert malicious code, but that could be another story.
I had nothing to do with original organization hbetts so that’s why I found it pretty interesting to share.
Please note that I reported everything to NPM already and did not wanted to cause any harm. I explained everything in detail, but they still didn’t get it so I’ll update you on this.
Follow me on twitter :))
