[kwlug-disc] npm leak via April's github entry

[Mikalai Birukou]

You might have received an email from npm.

Their blog https://github.blog/2022-05-26-npm-security-update-oauth-tokens/

I just want to note (focus on) couple of things.


Quote from their email:

"""

* What information was involved? *

Your npm username, password hash, and email address in a 2015 npm 
archive of user information from a skimdb.npmjs.com backup.

"""

I guess, it should read as "What info could have been stolen?".

Reminder not to reuse password, and use pass https://kwlug.org/node/1287 
or other machine-helping-you methods for keeping unique passwords/tokens.


Quote from the blog post section "What happened":

"""

Using their initial foothold of OAuth user tokens for GitHub.com, the 
actor was able to exfiltrate a set of private npm repositories, some of 
which included secrets such as AWS access keys.

Using one of these AWS access keys, the actor was able to gain access to 
npm’s AWS infrastructure.

"""

I wonder whether even guys at npm have put token directly into committed 
code, or if it was copied from "proper storage of secrets" in github. 
(Note: gitlab has CI secrets-sorta thing, kept in repo setting, injected 
via environment variables when ci is run.)

I appreciate single click deployments. Can't imagine life without them, 
and with only one click the rest of the team is doing the "last but 
important" step, which is awesome.

But I have the following second thought: some friction might be needed 
in a form of click and paste token for the deployment op. It adds a 
burden to have a token just for a particular op, key from a garden's 
corner instead of the whole kingdom. And it adds "and paste" part on the 
last step. Am I overly paranoid?

Is there another better approach to keep less access capabilities on ci 
infrastructure?


Meta question: is it reasonable to question degree of paranoid-ness 
during or right after leak/hack?