[ghughes]

I don't like GitHub's security screener dismissing this report because of the "social engineering" aspect. There is a real problem here; it's easy to imagine this disclosure leading to another major OSS supply chain incident. I hope GitHub security folks are taking this more seriously than indicated by the response to the researcher.

> Their response seemed to indicate that the account was flagged due to previous issues sending emails, which would be expected with the domain having expired.

It's entirely possible that the domain could have been re-registered long before their next attempt to send an email to it.

I wonder if it's safer (and plausible) to run a daily whois audit job for all maintainer email domains and block anything that enters the redemptionPeriod status?

[robbie-c]

> I don't like GitHub's security screener dismissing this report because of the "social engineering" aspect.

Agreed.

I get where it comes from, npm isn't responsible for individual contributors getting social-engineered, but this is much deeper than that, and part of the flaw is with npm's support allowing the password reset to go through.

[codingkev]

What do you suggest as an alternative to password reset based on the account email?

[tedunangst]

If you retired the email because the domain expired, maybe don't let it reset existing accounts. It's dead.

[dane-pgp]

I'm surprised Microsoft didn't categorise it as "Important, Spoofing".

https://github.com/oskarsve/ms-teams-rce/blob/main/README.md

[lxe]

These "social engineering" vulnerabilities could be the maximum severity low hanging fruit for hackers. Github should definitely revisit their policies and reward the people disclosing these.