Malicious npm Code Infiltrated 10% of Cloud Environments

A newly identified supply chain attack involving malicious npm packages remains active and has already reached an estimated 10% of cloud environments, according to recent security warnings. The attack began when a threat actor used social engineering to compromise the account of a prominent developer known as “qix,” then published trojanized versions of widely used packages.

These harmful releases, which embedded crypto-stealing malware, were taken down within two hours. However, researchers at Wiz confirmed that the malicious code had already spread to a significant number of cloud systems. In the brief window when the packages were available, any frontend build incorporating them could have triggered the execution of a payload designed to intercept and reroute cryptocurrency transactions to wallets controlled by attackers.

Further investigation revealed that the campaign did not stop with the initial breach. Additional npm accounts, including one associated with “duckdb,” were also compromised, signaling that the threat remains ongoing. Malicious versions such as @duckdb/node-api@1.3.3 and @duckdb/duckdb-wasm@1.29.2 were among those published, though these were swiftly removed and saw minimal downloads.

Users and administrators of npm, the world’s largest software registry, are advised to maintain heightened vigilance. Security teams should regularly update blocklists, verify packages against trusted registries or mirrors, and treat the list of affected packages as dynamic and subject to change. Proactive monitoring and validation are essential to defending against this type of rapidly evolving software supply chain threat.

(Source: Info Security)