(この記事は日本語でも読むことが出来ます。)

Disclaimer

Deno Land Inc., which develops Deno, isn’t running bug bounty programs, so they don’t explicitly allow vulnerability assessments.

This article describes the vulnerabilities that were reported as potential vulnerabilities, using publicly available information. This was done without actually exploiting/demonstrating the vulnerabilities and it’s not intended to encourage you to perform an unauthorized vulnerability assessment.
If you find any vulnerabilities in Deno-related services/products, please report them to engineering@deno.com.¹

Also, the information contained in this article may be inaccurate because the information of a vulnerability couldn’t be validated.²

TL;DR

I found a vulnerability that could be used to read arbitrary files from the system running deno.land/x, and a Code Injection in encoding/yaml of Deno.
Of these, if the vulnerability in deno.land/x was exploited, the AWS credentials used to store the module in S3 could be stolen, resulting in arbitrary package tampering in deno.land/x.

(You can read this article in English too.)

免責事項

Denoを開発しているDeno Land Inc.は、脆弱性報奨金制度等を実施しておらず、脆弱性の診断行為に関する明示的な許可を出していません。

本記事は、公開されている情報を元に脆弱性の存在を推測し、実際に攻撃/検証することなく潜在的な脆弱性として報告した問題に関して説明したものであり、無許可の脆弱性診断行為を推奨することを意図したものではありません。
Deno Land Inc.が開発するサービスや製品に脆弱性を見つけた場合は、engineering@deno.comへ報告してください。¹

はじめに

@typesスコープを管理しているDefinitely Typedは、Microsoftから支援を受けているものの、Microsoftの脆弱性報奨金制度におけるセーフハーバーの対象ではありません。¹
本記事は、公開されている情報を元に脆弱性の存在を推測し、実際に検証することなく潜在的な脆弱性として報告した問題に関して説明したものであり、無許可の脆弱性診断行為を推奨することを意図したものではありません。
Definitely Typedに脆弱性を発見した場合は、Definitely Typedのメンバーへ報告してください。

Preface

Definitely Typed, a project which manages npm packages inside the @types scope, is supported by Microsoft. However, it is not in the scope of the safe harbor for Microsoft’s bug bounty program.¹

This article describes the vulnerabilities that were reported as potential vulnerabilities, using publicly available information. This was done without actually exploiting / demonstrating the vulnerabilities.

This article is not intended to encourage you to perform an unauthorized vulnerability assessment.
If you find any vulnerabilities in Definitely Typed related products, please report them to members of Definitely Typed.

TL;DR

There were vulnerabilities in the pull request management bot of Definitely Typed, which allowed an attacker to merge a malicious pull request into DefinitelyTyped/DefinitelyTyped.
This would result in tampering with arbitrary packages under the @types scope of npm.