NPM OAuth Token
ID |
npm_oauth_token |
Severity |
critical |
Vendor |
GitHub |
Family |
OAuth Token |
Description
With NPM often there is a need to install packages from private repositories hosted in GitHub. For that, it is customary to use OAuth v2 tokens instead of username and password.
There are alternatives for private packages, like third-party repositories (JFrog Artifactory, SonaType Nessus, Verdaccio). The Npm registry can hold private packages for a user or an organization (need a paid npm account). GitHub Package Registry is another option.
Security
Unlike usernames and passwords, OAuth tokens provide additional benefits:
-
Revocable access. Tokens can be revoked at any time from a user’s settings screen in GitHub.
-
Limited access. When requesting access, applications declare the level of permissions they need, and tokens are created with the appropriate scope as granted by the user.
Tokens should be treated as passwords. Putting the token in the clone URL will result in Git writing it to the git/config file in plain text. In addition, OAuth tokens work for any repository for which the user has access.
Examples
The following private-pkg-example dependency is using a hardcoded GitHub OAuth token, in project’s package.json:
{
"name": "library",
"version": "1.0.0",
"description": "user library",
"main": "src/index.js",
"dependencies": {
"lodash": "^4.0.0",
"private-pkg-example": "git+https://111da111qqqq309bqq562159952c2c2a11111a1:x-oauth-basic@github.com/example/example.git#v1.0.0"
}
}
Mitigation / Fix
-
Remove the dependency from the
package.jsonorpackage-lock.jsonfiles. Instead of getting the artifact from GitHub private repository, you may use scoped private packages in Npm or another alternative. -
Follow your policy for handling leaked secrets, which typically require revoking the compromised OAuth token in GitHub.
-
Check the activity with the private GitHub project, to ensure that no operations by unintended actors using the token were done during the compromised period.