SYM_GEN_0109 - SymbioticSec/Symbiotic-Vulnerability-Database GitHub Wiki
Use of Hard-coded Credentials
| Property | Value |
|---|---|
| Language | generic |
| Severity |  |
| CWE | CWE-798: Use of Hard-coded Credentials |
| OWASP | A07:2021 - Identification and Authentication Failures |
| Confidence Level | Low |
| Impact Level | Medium |
| Likelihood Level | Low |
Description
An NPM registry authentication token is stored directly in a configuration file (such as .npmrc). Hard-coding sensitive credentials in files exposes them to anyone with access to the codebase or repository.
Impact
If an attacker gains access to this token, they could publish, modify, or delete packages in your NPM account or organization, potentially leading to supply chain attacks, data leaks, or service disruption.