Aikido Security says attackers injected malware into 18 npm packages with 2.6B+ total weekly downloads, after compromising a maintainer's account via phishing
Popular npm packages debug and chalk were recently compromised, exposing developers and organizations to potential malware risk. … Charlie Eriksen : Hello. It feels like the first Monday of the fall season. And it really started the season off with some bad news. 18 super popular npm packages … Bluesky: Josh Junon / @bad-at-computer : Yep, I've been pwned. 2FA reset email, looked very legitimate. — Only NPM affected. I've sent an email off to @npmjs.bsky.social to see if I can get access again. — Sorry everyone, I should have paid more attention. Not like me; have had a stressful week. Will work to get this cleaned up. … @nuxt.com : you may have heard about a supply chain attack on a number of packages distributed on npm. a quick update: — 1. nuxt is not vulnerable. — we do not ship code into client/server from these particular packages (this attack required running in the browser) — www.aikido.dev/blog/npm-de... Josh Junon / @bad-at-computer : NPM has yet to respond to any of this, but it appears at least 'debug"s malicious package version has been yanked. — I contacted @porkbun.com about the phishing domain and called support to have it escalated. — Nothing I can do but sit and wait right now. Sorry folks. @svelte.dev : 2. The attack works by targeting users of browser extensions like MetaMask, patching ‘fetch’ and ‘XMLHttpRequest’ to steal crypto (excellent write-up here: jdstaerk.substack.com/p/we-just- fo...) John David Pressman / @jdp.extropian.net : I suspect we're in the twilight period of traditional software development, and that an increasing number of successful supply chain attacks like this will be the driver towards fundamental shifts towards paranoia about dependencies and formal verification. — jdstaerk.substack.com/p/we-just- fo... Josh Junon / @bad-at-computer : Message from NPM: — “All impacted package versions have been taken down. I'll be in touch when we have more information regarding account recovery.” — I've requested further information about which packages were published, their versions, and all account actions NPM took. Zach Leatherman / @zachleat.com : Crashing out at how poorly npm (Microsoft) is handling this security incident. Eleventy is not affected any more but *lots* of other tools in the JavaScript ecosystem are! — Hours later and the compromised package versions are still public... Maybe don't install anything from npm today, folks. Jon Kuperman / @jonkuperman.com : watching npm not respond for hours as compromised package authors plead for help taking down infected packages @codfather : If you or your company use node - then you need to take immediate action this is a v. series hack just hit. — www.aikido.dev/blog/npm-deb... Mastodon: @cryptadamist@universeodon.com : the massive #node / #npm supply chain hack thankfully seems to have once again been aimed solely at stealing #crypto so once again if you don't use crypto you don't have much to worry about. — that said getting your #malware downloaded over a billion times is... impressive. … Chris Adams / @acdha@code4lib.social : Clever trick in today's NPM hack: using Levenshtein to pick the replacement address most similar to the original, making it very easy for humans to miss the difference. This would work really well with things like Git commits, too... https://jdstaerk.substack.com/ ... [image] Chris / @cy@chaos.social : good day to disable javascript in your broweer for a while — https://www.bleepingcomputer.com/ ... Thomas / @thomasfuchs@hachyderm.io : It's almost like programming language monocultures with “best practices” and paradigms requiring hundreds or thousands of dependencies even for simple apps are harmful https://www.bleepingcomputer.com/ ... Kevin Beaumont / @GossiTheDog@cyberplace.social : Developer confirms they fell for phishing email — It looks like others have too, found one other compromised repo from a different user, will have a dig tomorrow as bored of cyber tonight. — https://bsky.app/... Forums: Hacker News : NPM debug and chalk packages compromised r/hacking : Hackers hijack npm packages with 2 billion weekly downloads in supply chain attack r/programming : So chalk + debug just got owned on npm... and honestly, this is the nightmare I've been expecting r/cybersecurity : Hackers hijack npm packages with 2 billion weekly downloads in supply chain attack r/programming : Color NPM Package Compromised r/linux : npm debug and chalk packages compromised (~650 million weekly downloads) r/netsec : NPM Debug and Chalk Packages Compromised r/programming : Largest NPM Compromise in History - Supply Chain Attack r/npm : npm debug and chalk packages compromised r/node : npm debug and chalk packages compromised r/javascript : NPM package “error-ex” just got published with malware (47m downloads) Msmash / Slashdot : Hackers Hijack npm Packages With 2 Billion Weekly Downloads in Supply Chain Attack