Massive Supply-Chain Attack Hits 2B+ Weekly Downloads
▼ Summary
– Hackers compromised nearly two dozen npm packages in a massive supply-chain attack affecting over 2 billion weekly updates.
– The attack began when a maintainer fell for a phishing email that bypassed two-factor authentication, leading to account takeover.
– Malicious code was added to transfer cryptocurrency payments to attacker-controlled wallets by monitoring transactions on infected systems.
– The compromised packages are foundational to the JavaScript ecosystem and have thousands of dependencies, amplifying the attack’s impact.
– Security researchers believe this was a targeted attack designed to maximize reach across countless applications and frameworks.
A recent software supply-chain attack has compromised open source packages with a staggering two billion weekly downloads, marking one of the most extensive digital infiltrations ever recorded. The breach targeted nearly two dozen packages hosted on the npm repository, a cornerstone of the JavaScript development community, and was first brought to public attention through social media posts earlier this week.
The intrusion began when Josh Junon, a key maintainer of several affected packages, fell victim to a phishing email. The message falsely warned that his npm account would be deactivated unless he logged into a fraudulent site and updated his two-factor authentication settings. Junon, who operates under the handle Qix, later acknowledged the breach, stating, “Sorry everyone, I should have paid more attention. Not like me; have had a stressful week. Will work to get this cleaned up.”
Attackers moved swiftly after gaining access, updating dozens of packages under Junon’s oversight within just one hour. These updates embedded nearly 300 lines of malicious code engineered to hijack cryptocurrency transactions. The malware actively monitors infected systems for crypto payments, redirecting funds to wallets controlled by the hackers.
Among the 20 compromised packages were several foundational components of the JavaScript ecosystem. These packages are not only used directly in countless applications but also serve as critical dependencies for thousands of other npm modules. This widespread integration dramatically amplified the attack’s potential impact, putting a vast array of software projects at risk.
Security analysts from Socket emphasized the severity of the situation, noting, “The overlap with such high-profile projects significantly increases the blast radius of this incident.” By compromising a single influential maintainer, the attackers gained the ability to distribute tainted versions of widely relied-upon code. They further observed, “Given the scope and the selection of packages impacted, this appears to be a targeted attack designed to maximize reach across the ecosystem.” The incident underscores the vulnerabilities inherent in open source software maintenance and the critical need for robust security practices among developers.
(Source: Ars Technica)
