[raesene9]

It's a shame Github Support haven't (AFAIK) expanded on what they mean by "This is something we’ve been tracking internally and have mitigations in place for.”

This problem is likely common to every public registry. Even if the registry doesn't publish e-mail addresses, it's often easy to work them out from other sources, so attackers can build up a list of targets relatively easily.

It seems like a hard one to solve for well. Mostly the registry will only know an author by their e-mail account, so if that's compromised it could be hard to tell the difference between the author genuinely losing their creds and an attacker who has taken over the domain.

[isoos]

> This problem is likely common to every public registry.

Not necessarily, it depends on what kind of authentication you are using. For example a Google account has a unique OAuth ID, and if your GSuite/Workplace/whatever account expires, and you recreate it again (regardless of the domain expiry/transfer in-between), the OAuth flow will present a new ID alongside the email address.

Dart/Flutter's package manager pub.dev uses Google accounts as authentication and has this extra OAuth ID check to prevent hostile ownership takeovers.

Disclaimer: I'm contributor to pub.dev

[raesene9]

Interesting. Out of curiousity, is there a flow for if a package author gets permanently locked out of their google account? There have been cases of people losing access to their entire google account due to ToS breaches on one site (e.g. Youtube).

The safest option here would be to create an orphan package, but that has some usuability concerns (will people realise it's orphaned and update accordingly)

[cotillion]

The mitigation against this was probably the restriction on password resets which support lifted. They just forgot to train support how to deal with it.

[cutemonster]

If so, what could support have done? How could they verify that the new person was the same as the old

(There was no 2FA enabled)

(I think the "email address doesn't work, so disabled sending to it" theory sounds more plausible actually :-))

[lozenge]

Some mitigations could be:

Auto-flagging every push from an account for a while after a password reset

Automatically scanning code of frequently downloaded packages for unusual changes (like: adding a postinstall script, contacting a new server in the postinstall script, obfuscated code, near-total rewrite of the code, inclusion of cryptomining, access of sensitive files like /etc/passwd or /etc/sudoers).

The vagueness of the statement suggests to me they're talking about their defense-in-depth and have never thought about this specific route to account takeover before.

[jefftk]

In this case, if NPM has any mitigations like that, they would not have been triggered, because the reporter stopped once they had full access to the account.

[Jenk]

PGP/SSH is surely the usable here as a 2fa. Have maintainers (or at the least owners) demonstrate their identity with both email and a key.

[vbezhenar]

People will lose their GPG/SSH keys. That would cause great havoc with thousands of projects being re-published under new names every year because their authors did not back up his ssh key.

The only proper way to handle that is to ask for national IDs, full names, document numbers. And in case of uncertainty ask photo with those docs and have human support to check it. Of course it should not be required, but just show some kind of "verified" label for those people, that might be enough to push people.

[Jenk]

Maybe "ssh keys" alongside those identity documents should become a thing in the digital age.

[jazzyjackson]

Estonia includes cryptographic keys with their identity docs, it's like plugging in your passport to be able to prove your identity and sign documents. It sounds like a great system, they only had to re-issue certificates once a few years ago when they realized the keys were too weak, but I can't find any other country that's taken up the decade-old technology.

They also have a state-provided email inbox for official communications, which I wish we had. A friend of mine had her car towed because the registration had lapsed -- she had ignored a letter from the DMV asking for proof of insurance b/c it looked like a scam to her. If only the government had a way to prove ITS identity.