Arbitrary Code Execution via npm misconfiguration – installing internal libraries from the public registry

Due to misconfiguration of the Private NPM registry, a nodejs-based project was able to install a malicious module generated by an attacker instead of a normal module. If an attacker registers a higher version with the same name as a private module with Global Registry, it will download and install malicious modules from the Global Registry rather than normal packages stored in private registry when building nodejs-based projects. If the malicious package is installed, the malicious script in the package is executed on the machine where it was downloaded on. As such, arbitrary code execution could have occurred on the affected hosts.