NPM Supply-Chain Attack Thwarted: Hackers Foiled
▼ Summary
– The largest NPM supply-chain attack impacted 10% of cloud environments but yielded under $1,000 in profit for the attackers.
– Attackers compromised maintainer Josh Junon’s account via phishing and pushed malicious updates to popular packages like chalk and degub-js.
– The malicious code targeted cryptocurrency by redirecting Ethereum and Solana transactions to attacker-controlled wallets during a two-hour window.
– Open-source communities quickly detected and removed the packages, preventing broader security damage like reverse shells or destructive malware.
– Researchers confirmed the same phishing campaign also affected DuckDB’s maintainer, with total traced profits across all attacks estimated at around $600.
A recent and massive supply-chain attack targeting the widely used NPM ecosystem was swiftly neutralized, preventing what could have been a catastrophic security incident. While malicious updates reached an estimated 10% of cloud environments, the attackers gained very little from their efforts, highlighting both the speed of modern software distribution and the effectiveness of rapid community response.
The incident began when a maintainer of several high-profile packages, including chalk and degub-js, fell victim to a phishing attack. By compromising this single account, attackers gained the ability to push tainted updates to packages that collectively see over 2.6 billion weekly downloads. These components serve as foundational elements in nearly every JavaScript and Node.js project, making their widespread use a significant risk multiplier.
Once inside, the attackers inserted code designed to hijack cryptocurrency transactions. The malicious module intercepted signing requests for Ethereum and Solana, replacing legitimate wallet addresses with ones controlled by the hackers. This form of crypto-jacking, while disruptive, ultimately proved far less damaging than what might have been deployed.
Within just two hours, the open-source community identified the threat and worked with npm to remove the compromised packages. According to cloud security firm Wiz, during that narrow window, roughly one in ten cloud environments downloaded the malicious versions. This rapid uptake underscores how quickly poisoned code can spread through modern development pipelines.
Fortunately, the specific nature of the payload limited the damage. Instead of deploying reverse shells, ransomware, or other persistent threats, the attackers focused solely on diverting small cryptocurrency sums. As a result, the actual financial impact was minimal—amounting to less than $1,000 in stolen funds. Most of the affected organizations faced operational disruption rather than lasting compromise.
Additional analysis revealed that the same phishing campaign also breached the maintainer account for DuckDB, where identical crypto-stealing code was introduced. Wallets linked to the attackers showed approximately $600 across various cryptocurrencies, with larger holdings already flagged and frozen, restricting the hackers’ ability to profit.
This event serves as a stark reminder of the fragility within open-source software supply chains. While the outcome could have been far worse, it reinforces the need for robust maintainer security practices, faster incident response, and greater transparency in dependency management.
(Source: Bleeping Computer)
