Vulnerability Allowing an Update to Be Released for any Package in the NPM Repository

GitHub has disclosed two incidents in the NPM package repository infrastructure. On November 2, third-party security researchers Kajetan Grzybowski and Maciej Piechota, as part of the Bug Bounty program, announced a vulnerability in the NPM repository that allows you to publish a new version of any package using your account, which is not authorized to perform such updates.