STOP USING vsts-npm-auth

It may be a 0-day

vsts-npm-auth is an NPM package used to auth a Windows machine so it can pull NPM packages. This is needed if you’re pulling packages from a feed that requires authentication, either as a developer or as a pipeline.

The problem is that it’s not a safe or reliable package. There is no source code shared for it. That is suspicion #1. All I see there is some dlls and executables.

Do you trust this on your developer machines and in your pipelines, especially if your organization uses SSO for everything?

Suspicion #2 is that the contributors are unknown. Here is a list of the contributors:

https://www.npmjs.com/~edergachev

https://www.npmjs.com/~tkasparek_ms

https://www.npmjs.com/~wgasior

https://www.npmjs.com/~bsmid

https://www.npmjs.com/~martinmrazik

https://www.npmjs.com/~vsonline

https://www.npmjs.com/~embetten

https://www.npmjs.com/~johnschmeichel

https://www.npmjs.com/~viexianong

Maybe just Microsoft engineers pushing an auth package? Who knows? They don’t have an organization added and they are not as public as you’d expect from Github repository contributors…Furthermore, their contribution pattern is very similar. Too similar?

Problem #3 is that given the above, how did this package come to be recommended even in Microsoft documentation? Is this an intern’s first time writing a blog post or updating some documentation at Microsoft? Is it worse?

How can we determine these things? It’s better to be safe than sorry. I would stop using vsts-npm-auth to get your auth for NPM packages. If you are using a private NPM feed of your own inside Azure DevOps, you can create a token for access and add the token to your .npmrc file instead of using vsts-npm-auth. Unfortunately the recommendation to use vsts-npm-auth has already been a thing for a couple years…

I would rather be safe than sorry, so I am raising this concern this way towards more visibility into what this package is, how we can determine it, and how we can give trust. Noting that this package is not actually needed for auth to pull down NPM packages, it’s safer to just not use it.

Best,

Cyrs