Publicly accessible NPM Log file

The Node Package Manager (NPM) is a powerful package management utility that is used to install, uninstall, and manage libraries and dependencies in the Node.js platform.

Impact

The attacker may be able to retrieve sensitive information about the application and its development environment like version, dependency tree, environment variables, and other sensitive information that may help in an advanced targeted attack.

Solution

Restrict access to the NPM Log file with proper security controls.

References

• https://docs.npmjs.com/