A popular npm package with more than 3.5 million weekly downloads has been found vulnerable to an account takeover attack.
“The package can be taken over by recovering an expired domain name for one of its maintainers and resetting the password,” software supply chain security company Illustria said in a report.
While npm’s security protections limit users to have only one active email address
This article has been indexed from The Hacker News
Read the original article: