A popular NPM package with more than 3.5 million downloads per week was found vulnerable to an account -transfer attack. "The package can be taken over by rescue a domain name for one of its carers and reset the password," Software Supply Chain Security Security Company Illustria said.Said. While NPM security guards limit only an active E -Posta address per account, the Israeli company can reset the Github password using the recovery area. In short, the attack provides a threat to the associated Github account of the package, and makes it possible to publish Trojan throwing versions that can be armed to make supply chain attacks on the NPM registry. This is obtained by taking advantage of a GitHub action that is configured in the warehouse to automatically publish the packages when new code changes are pushed. "Although Illustria's founding partner and CTO Bogdan Kortnov said, although the nursing NPM user account [two -factor authentication] has been properly configured, this automation jetone jumps it."Said. Illustria did not explain the name of the module, but since then, he said he had reached the caregiver who took steps to secure the account. This is not the first time the developer accounts were vulnerable to the infections in recent years. In May 2022, a threat player, to seize the account of the account and distribute a malicious version of the CTX Python package used by the maintenance of the maintenance of the maintenance. Gotopnews.com