Use of Hard-coded Credentials
| Property | |
|---|---|
| Language | generic |
| Severity |  |
| CWE | CWE-798: Use of Hard-coded Credentials |
| OWASP | A07:2021 - Identification and Authentication Failures |
| Confidence Level | Low |
| Impact Level | Medium |
| Likelihood Level | Low |
Description#
An NPM registry authentication token is stored directly in a configuration file (such as .npmrc). Hard-coding sensitive credentials in files exposes them to anyone with access to the codebase or repository.
Impact#
If an attacker gains access to this token, they could publish, modify, or delete packages in your NPM account or organization, potentially leading to supply chain attacks, data leaks, or service disruption.