Fake npm 2FA Reset Email Used to Hijack Popular Code Packages
â–Ľ Summary
– Malicious versions of at least 18 widely used npm packages were uploaded to the npm Registry on September 8 after a maintainer’s account was compromised.
– The attacker used a phishing email to steal the maintainer’s login credentials and two-factor authentication, then changed the account email and uploaded harmful updates.
– The malicious code silently intercepts crypto and web3 activity in browsers, redirecting funds to attacker-controlled accounts without user awareness.
– These packages collectively have over 2 billion weekly downloads, potentially affecting many applications, though quick detection limited widespread impact.
– Security experts warn that such supply chain attacks are common and urge organizations to audit dependencies and implement security checks in their development pipelines.
A sophisticated phishing campaign targeting npm package maintainers has led to the compromise of at least 18 widely used JavaScript libraries, injecting malicious code designed to hijack cryptocurrency transactions. The attack, which unfolded on September 8, underscores the persistent threat to open-source software supply chains and the critical need for heightened security awareness among developers.
The malicious code, embedded in updated versions of popular packages like ansi-styles, debug, and chalk, operates by intercepting web traffic and manipulating wallet interactions in the browser. Once executed, it silently redirects cryptocurrency payments and approvals to attacker-controlled accounts, leaving users unaware of the manipulation. Security researcher Charlie Eriksen emphasized that the malware operates across multiple layers, altering website content, tampering with API calls, and subverting transaction signatures without visible signs of interference.
The breach originated when developer Josh Junon received a convincing phishing email appearing to come from npm support, urging him to reset his two-factor authentication (2FA) credentials. The message, sent from support[@]npmjs[.]help, mimicked official communications and exploited a moment of distraction. Junon, accessing the link on a mobile device, entered his login details and one-time password on a fraudulent site that even provided a new TOTP key, a tactic likely intended to maintain the illusion of legitimacy or facilitate a man-in-the-middle attack.
With these credentials, the threat actor gained access to Junon’s npm account, changed the associated email to lock him out, and began publishing weaponized versions of his packages. The malicious updates were live for only a few hours before being detected and removed, but their potential impact was significant due to the packages’ collective weekly download count exceeding two billion.
Further investigations revealed that the same threat actor compromised additional packages maintained by other developers, indicating a broader campaign. ReversingLabs identified hundreds of GitHub repositories containing related malicious code, though the full scope of affected projects remains unclear. Fortunately, the rapid response from the security community limited widespread adoption of the tainted versions.
Ilkka Turunen, Field CTO at Sonatype, noted that package takeovers have become a standard tactic for advanced threat groups seeking to infiltrate organizations at scale. While this incident focused on crypto theft, the same method could be used to implant backdoors, exfiltrate secrets, or deploy ransomware. Nathan Webb of Acumen Cyber highlighted the importance of tools like npm audit to automatically identify and remediate vulnerabilities in dependencies.
Security experts warn that this incident could have had far more severe consequences had the attacker pursued objectives beyond financial theft. The episode serves as a stark reminder for organizations to rigorously audit software supply chains, implement dependency scanning in development pipelines, and educate team members on identifying social engineering attempts.
(Source: HelpNet Security)
