S3 Bucket Takeover on assets.npmjs.com: A Potential Supply Chain Attack

Not long ago, we discovered a vulnerability in the subdomain assets.npmjs.com, which if left unaddressed, could lead to a huge supply chain attack. As software engineers and DevOps professionals, it is essential to understand the impact of such vulnerabilities and ways to mitigate them.

In this blog post, we will discuss how the S3 Bucket takeover on assets.npmjs.com could lead to a supply chain attack and how to prevent it.

‍

What is S3 Bucket takeover?

Subdomain takeover occurs when an attacker exploits a misconfigured DNS record and takes control of a subdomain.
In this case, assets.npmjs.com was pointing to an unclaimed S3 Bucket, which made it vulnerable to subdomain takeover.
The attacker can then upload any malicious content on this domain, leading to a supply chain attack.

‍

How it could lead to a supply chain attack?

assets.npmjs.com naming convention could make it very easy for malicious actors to host their own “fork” of npm - supported by thousands of malicious packages, because of the fact that the subdomain takeover was on an asset with naming that makes it more realistic to host legitimate packages (unlike having Subdomain Takeover on internal.dev.something.npmjs.com) made this one more severe than others.

Attackers could obfuscate the website as one which is used by npm to host JavaScript packages, and any malicious code uploaded on this domain can affect millions of users who rely on these packages.

The attacker can upload a malicious package or modify an existing package to include their malicious code, leading to a supply chain attack.

‍

What happened in this case?

The domain assets.npmjs.com was discovered to be pointing to an unclaimed S3 Bucket, making it vulnerable to subdomain takeover.

We at shockwave have dedicated thousands of hours through trial and error to make our scanning engines as fast as you can possibly get, up to a point where we scan and automatically claim S3 buckets every 60 seconds, this is why we managed to claim it before malicious actors did, and save the interest of Github’s npmjs and the software development lifecycle.

‍

‍

The issue was reported in a couple of minutes to Github’s Bug Bounty Program on HackerOne, who resolved the matter in couple of hours, treating the bug as “High Severity” through their CVSS evaluation.

Mitigation

To mitigate this vulnerability, it is essential to remove the DNS record from the subdomain that is pointing to the unclaimed S3 Bucket.

This will prevent an attacker from taking over the subdomain and uploading any malicious content.
When dealing with DNS removal and allocation in daily basis, always aim to remove the DNS entry from the registrar before removing the actual asset it points to.

Impact

A subdomain takeover can have severe consequences, and if left unaddressed, it could lead to a supply chain attack in this particular case.

An attacker can upload a malicious packages by hosting malicious content on the domain, leading to a range of attacks, including XSS, phishing, etc.

Conclusion

In conclusion, the S3 Bucket takeover on assets.npmjs.com highlights the importance of securing DNS records and subdomains.

We weren’t be able to detect and claim the domain if it wasn’t for our contextual scanning engines, this is exactly why continuous monitoring actually matters if done right.

‍

About Us

Using a platform like Shockwave for continuous monitoring can help catch vulnerabilities before they can be exploited, we are dedicated on bringing real security value to our customers, and care deeply about the data we product - 0 false positives, no alert fatigue, real and valuable continuous monitoring, that’s why our customers love to bolster their Attack Surface Resistance with our product offering.