search

github / advisory-database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.
Creative Commons Attribution 4.0 International
1.75k stars 337 forks source link

GHSA-679j-53p9-4q59 #3049

Closed achebrol closed 11 months ago

achebrol commented 11 months ago

Hi, we are getting a malware report(https://github.com/advisories/GHSA-679j-53p9-4q59) on one of our internal packages @techops-ui/ping-authentication. the package itself was never published to public npm repo.i have opened a ticket in 2022(Ticket No: 1729884) which i thought is already resolved on 4/21/2023 but we are seeing this behavior again.i tried updating the old ticket but i no longer have access to the same. Thanks Azeet

KateCatlin commented 11 months ago

@achebrol thank you for proactively sharing your experience and concern.

On June 15th, we announced GitHub added malware advisories to the GitHub Advisory Database, though we do not send Dependabot alerts on them nor are the published to the repository here.

We found that the majority of those alerts in question (possibly including the one you raised) were for substitution attacks. During these types of incidents, an attacker would publish a package to the public registry with the same name as a dependency users rely on from a third party or private registry, with the hope a malicious version would be consumed. As Dependabot doesn’t look at project configuration to determine if the packages are coming from a third-party registry, it has been triggering a notification for packages with the same name from the public npm registry. To resolve this issue in the short term, we we paused all Dependabot notifications on malware advisories and will work to determine how to best notify customers of being the target of a substitution attack going forward.

If you are the owner of this package, it seems your package was the target of a substitution attack. However, it does not mean that there is an immediate action to be taken on your part as the malware has already been removed from the npm registry.

If you think this was created in error, you'll need to send in a reinstatement request. Here's a link to the npm policy and the form.

Alternatively, if someone else has been using the npm package name you can reach out to npm through the name dispute form.

Hope that helps and have a great day!

I'm going to close this Issue as there is no further action that we can take, but please reopen a new one if you have another ask!