Npm Token

ID

npmrc

Severity

critical

Vendor

Node Package Manager

Family

API Token

Description

Npm (Node Package manager) is a package manager for the Node (JavaScript) ecosystem. The npm CLI and API is used for publishing and downloading packages and other interactions with package registries. An access token is the common alternative to username and password in npm.

Security

Many supply-chain attacks in the past were originated when attackers gained access to Npm accounts and published malicious package versions for popular packages.

Examples

# configure auth token
@fontawesome:registry=https://npm.fontawesome.com/
//npm.fontawesome.com/:_authToken=$AUTH_TOKEN

#Default registry
registry=https://registry.npmjs.org/

#scoped registry
@cloudhadoop:registry=http://npm.noncompliant.com

# OMG you are p4wnd! if this is leaked
#007e64c7-635d-4d54-8295-f360cb8e2e4f
#a73c9572-f1b9-8983-983d-ba3ac3cc913d
//npm.noncompliant.com/:_authToken=a73c9572-f1b9-8983-983d-ba3ac3cc913d

;log level settings
loglevel=warn

Mitigation / Fix

  1. Follow your policy for handling leaked secrets, which typically require revoking the secret in the target system(s). A simple npm token revoke <token-id> command revokes the Npm token.

  2. Check access logs to ensure that the secret was not used by unintended actors during the compromised period. The Last Used column in the Access Tokens page https://www.npmjs.com/settings/YOUR_USER/tokens/ may help you to identify potential usage of your NPM account by an attacker. Unexpected packages or package versions published may also be reviewed and promptly reported as potential malware.

  3. Remove the Npm token from the source code or committed configuration file. You may optionally remove it from the git history.

You should consider any sensitive data in commits with secrets as compromised.

Remember that secrets may be removed from history in your projects, but not in other users' cloned or forked repositories.

For mitigation:

  • Follow the principle of least privilege: Use read-only tokens for installing packages, if there is no need for publishing packages. With publish level tokens the account should be protected with two-factor authentication (2FA) so a one-time passcode needs to be provided for certain operations. With automation tokens used in CI/CD and other automation systems, due care must be used to pass the token carefully, using a secrets vault when publishing packages.

  • Use restricted IP range for the token, using --cidr option with npm token create when creating the token.

Reference

https://docs.npmjs.com