Aikido Security Ltd. today disclosed what is being described as the largest npm supply chain compromise to date, after attackers injected malware into 18 popular packages that together account for more than 2.6 billion weekly downloads.
Npm packages are reusable blocks of JavaScript code published to the Node Package Manager registry that developers can install and use in their own projects. The packages provide common functionality, such as formatting text, connecting to databases, or handling user input, allowing developers to not have to write every aspect of a project from scratch and are highly popular.
According to Aikido, attackers gained control of the maintainer account behind the libraries by using phished credentials with a fake npm support email that requested a two-factor authentication update. Upon gaining access, the attackers then inserted malicious code into the packages’ index.js files.
The malicious code was found to be designed to hijack cryptocurrency transactions by monitoring browser application programming interfaces such as fetch, XMLHttpRequest and wallet interfaces such as window.ethereum, redirecting funds to attacker-controlled addresses.
The breach was detected by Aikido within five minutes of publication and disclosed publicly within the hour, limiting potential damage despite the enormous download footprint of the affected packages. Bleeping Computer reports that the breached packages were available roughly between 9 a.m. and 11:30 a.m. today, Sept. 8.
Among the 18 libraries affected are widely used developer utilities such as chalk, with an estimated 300 million weekly downloads, debug, with about 358 million and ansi-styles, with more than 370 million. The modules form part of the underlying fabric of the JavaScript ecosystem, meaning the compromise had the potential to cascade into a vast number of downstream applications and services.
Though no hacking group has claimed responsibility for the supply chain compromise, nor have links to a particular group been found, the attacks come after a report in July warned that the infamous North Korea-backed hacking group Lazarus was targeting open-source packages, including notably npm packages.
Discussing the seriousness of the news, Ensar Seker, chief information security officer at extended threat intelligence platform provider SOCRadar Cyber Intelligence Inc., told SiliconANGLE via email that the incident “represents a watershed moment in software supply chain security.”
“The compromise of npm packages with over 2.6 billion weekly downloads highlights just how devastating upstream attacks can be when they exploit the foundational trust built into open-source ecosystems,” explains Seker. “Attackers didn’t need to break into servers or bypass technical defenses; they simply hijacked a legitimate maintainer’s account through a targeted phishing campaign. That alone granted them the keys to a vast software kingdom.”
What’s particularly dangerous, he added is “how the attackers used a domain that convincingly mimicked a legitimate one, npmjs.help, to socially engineer the maintainer. This wasn’t a spray-and-pray phishing attempt. It was calculated, timed and executed with a deep understanding of developer psychology. The fear-based tactic of threatening to lock accounts by a specific deadline added urgency, increasing the chance of a successful compromise.”
Ilkka Turunen, field chief technology officer at software supply chain management company Sonatype Inc., pointed to the methodology of the attack and one particular group that has the knowledge to undertake such an attack.
“It was not a random choice to target the developer of these packages,” said Turunen. “Package takeovers are now a standard tactic for advanced persistent threat groups like Lazarus, because they know they can reach a large amount of the world’s developer population by infiltrating a single under-resourced project.”
Image: SiliconANGLE/Ideogram
Support our mission to keep content open and free by engaging with theCUBE community. Join theCUBE’s Alumni Trust Network, where technology leaders connect, share intelligence and create opportunities.
- 15M+ viewers of theCUBE videos, powering conversations across AI, cloud, cybersecurity and more
- 11.4k+ theCUBE alumni — Connect with more than 11,400 tech and business leaders shaping the future through a unique trusted-based network.
About SiliconANGLE Media
SiliconANGLE Media is a recognized leader in digital media innovation, uniting breakthrough technology, strategic insights and real-time audience engagement. As the parent company of SiliconANGLE, theCUBE Network, theCUBE Research, CUBE365, theCUBE AI and theCUBE SuperStudios — with flagship locations in Silicon Valley and the New York Stock Exchange — SiliconANGLE Media operates at the intersection of media, technology and AI.
Founded by tech visionaries John Furrier and Dave Vellante, SiliconANGLE Media has built a dynamic ecosystem of industry-leading digital media brands that reach 15+ million elite tech professionals. Our new proprietary theCUBE AI Video Cloud is breaking ground in audience interaction, leveraging theCUBEai.com neural network to help technology companies make data-driven decisions and stay at the forefront of industry conversations.
