LY Corporation: Arbitrary Code Execution via npm misconfiguration – installing internal libraries from the public registry

Due to misconfiguration of the Private NPM registry, a nodejs-based project was able to install a malicious module generated by an attacker instead of a normal module. If an attacker registers a higher version with the same name as a private module with Global Registry, it will download and insta...