Affected versions of the npm
package include the bearer token of the logged in user in every request made by the CLI, even if the request is not directed towards the user’s active registry.
An attacker could create an HTTP server to collect tokens, and by various means including but not limited to install scripts, cause the npm CLI to make a request to that server, which would compromise the user’s token.
This compromised token could be used to do anything that the user could do, including publishing new packages.
npm install npm@latest -g
blog.npmjs.org/post/142036323955/fixing-a-bearer-token-vulnerability
www-01.ibm.com/support/docview.wss?uid=swg21980827
github.com/advisories/GHSA-m5h6-hr3q-22h5
github.com/npm/npm/commit/f67ecad59e99a03e5aad8e93cd1a086ae087cb29
github.com/npm/npm/commit/fea8cc92cee02c720b58f95f14d315507ccad401
github.com/npm/npm/issues/8380
nodejs.org/en/blog/vulnerability/npm-tokens-leak-march-2016
nvd.nist.gov/vuln/detail/CVE-2016-3956
www.npmjs.com/advisories/98