The primary npm registry has, since late 2014, used HTTP bearer tokens to authenticate requests from the npm command-line interface. Due to a design flaw in the CLI, these bearer tokens were sent with every request made by the CLI for logged-in users, regardless of the destination of the request. They should instead only be included for requests made against the registry or registries used for the current install.
This flaw allows an attacker to set up an HTTP server that could collect authentication information they could use to impersonate the users whose tokens they collected. This impersonation would allow them to do anything the compromised users could do, including publishing new versions of packages.
Created npm tracking bugs for this issue:
Affects: fedora-all [bug 1328414]
Affects: epel-6 [bug 1328415]
Affects: epel-7 [bug 1328416]
Blog posts from npm and nodejs upstreams:
Upstream bug report:
This is only relevant to use cases where npm is used with authentication - private repos or workstations form which developers publish new package versions. Common uses case when npm is used to install publicly available packages are not affected.
This issue has a CVE now: