npm Blog (Archive)

The npm blog has been discontinued.

Updates from the npm team are now published on the GitHub Blog and the GitHub Changelog.

Incident report: npm, Inc. operations incident of July 12, 2018

Early in the morning of July 12, an individual gained access to an npm publisher’s account and used this access to publish an unauthorized update of a popular package. The update included malicious code that would have attempted to access the accounts of additional npm users by obtaining these accounts’ access tokens.

We determined that access tokens for approximately 4,500 accounts could have been obtained before we acted to close this vulnerability. However, we have not found evidence that any tokens were actually obtained or used to access any account during this window.

As a precautionary measure, npm has revoked every access token that had been created prior to 2:30 pm UTC (7:30 am California time) today. This measure requires every registered npm user to re-authenticate to and generate new access tokens, but it ensures that there is no way for this morning’s vulnerability to persist or spread. We are additionally conducting a full forensic analysis to confirm that no other accounts were accessed or used to publish unauthorized code.

This morning’s incident did not happen because of an breach, but because of a breach elsewhere that exposed a publisher’s npm credentials. To mitigate this risk, we encourage every user to enable two-factor authentication, with which this morning’s incident would have been impossible.