Aikido Security says attackers injected malware into 18 npm packages with 2.6B+ total weekly downloads, after compromising a maintainer's account via phishing
Popular npm packages debug and chalk were recently compromised, exposing developers and organizations to potential malware risk. … Charlie Eriksen : Hello. It feels like the first Monday of the fall season. And it really started the season off with some bad news. 18 super popular npm packages … Bluesky: Josh Junon / @bad-at-computer : Yep, I've been pwned. 2FA reset email, looked very legitimate. — Only NPM affected. I've sent an email off to @npmjs.bsky.social to see if I can get access again. — Sorry everyone, I should have paid more attention. Not like me; have had a stressful week. Will work to get this cleaned up. … @nuxt.com : you may have heard about a supply chain attack on a number of packages distributed on npm. a quick update: — 1. nuxt is not vulnerable. — we do not ship code into client/server from these particular packages (this attack required running in the browser) — www.aikido.dev/blog/npm-de... Josh Junon / @bad-at-computer : NPM has yet to respond to any of this, but it appears at least 'debug"s malicious package version has been yanked. — I contacted @porkbun.com about the phishing domain and called support to have it escalated. — Nothing I can do but sit and wait right now. Sorry folks. @svelte.dev : 2. The attack works by targeting users of browser extensions like MetaMask, patching ‘fetch’ and ‘XMLHttpRequest’ to steal crypto (excellent write-up here: jdstaerk.substack.com/p/we-just- fo...) John David Pressman / @jdp.extropian.net : I suspect we're in the twilight period of traditional software development, and that an increasing number of successful supply chain attacks like this will be the driver towards fundamental shifts towards paranoia about dependencies and formal verification. — jdstaerk.substack.com/p/we-just- fo... Josh Junon / @bad-at-computer : Message from NPM: — “All impacted package versions have been taken down. I'll be in touch when we have more information regarding account recovery.” — I've requested further information about which packages were published, their versions, and all account actions NPM took. Zach Leatherman / @zachleat.com : Crashing out at how poorly npm (Microsoft) is handling this security incident. Eleventy is not affected any more but *lots* of other tools in the JavaScript ecosystem are! — Hours later and the compromised package versions are still public... Maybe don't install anything from npm today, folks. Jon Kuperman / @jonkuperman.com : watching npm not respond for hours as compromised package authors plead for help taking down infected packages @codfather : If you or your company use node - then you need to take immediate action this is a v. series hack just hit. — www.aikido.dev/blog/npm-deb... Mastodon: @cryptadamist@universeodon.com : the massive #node / #npm supply chain hack thankfully seems to have once again been aimed solely at stealing #crypto so once again if you don't use crypto you don't have much to worry about. — that said getting your #malware downloaded over a billion times is... impressive. … Chris Adams / @acdha@code4lib.social : Clever trick in today's NPM hack: using Levenshtein to pick the replacement address most similar to the original, making it very easy for humans to miss the difference. This would work really well with things like Git commits, too... https://jdstaerk.substack.com/ ... [image] Chris / @cy@chaos.social : good day to disable javascript in your broweer for a while — https://www.bleepingcomputer.com/ ... Thomas / @thomasfuchs@hachyderm.io : It's almost like programming language monocultures with “best practices” and paradigms requiring hundreds or thousands of dependencies even for simple apps are harmful https://www.bleepingcomputer.com/ ... Kevin Beaumont / @GossiTheDog@cyberplace.social : Developer confirms they fell for phishing email — It looks like others have too, found one other compromised repo from a different user, will have a dig tomorrow as bored of cyber tonight. — https://bsky.app/... Forums: Hacker News : NPM debug and chalk packages compromised r/hacking : Hackers hijack npm packages with 2 billion weekly downloads in supply chain attack r/programming : So chalk + debug just got owned on npm... and honestly, this is the nightmare I've been expecting r/cybersecurity : Hackers hijack npm packages with 2 billion weekly downloads in supply chain attack r/programming : Color NPM Package Compromised r/linux : npm debug and chalk packages compromised (~650 million weekly downloads) r/netsec : NPM Debug and Chalk Packages Compromised r/programming : Largest NPM Compromise in History - Supply Chain Attack r/npm : npm debug and chalk packages compromised r/node : npm debug and chalk packages compromised r/javascript : NPM package “error-ex” just got published with malware (47m downloads) Msmash / Slashdot : Hackers Hijack npm Packages With 2 Billion Weekly Downloads in Supply Chain Attack
🚨 There's a large-scale supply chain attack in progress: the NPM account of a reputable developer has been compromised. The affected packages have already been downloaded over 1 billion times, meaning the entire JavaScript ecosystem may be at risk. The malicious payload works
I would strongly recommend not signing any crypto transactions right now. There is a huge supply chain attack on popular NPM packages that may have compromised various crypto websites (frontend, not the actual contracts). It changes the destination address of transactions and
There has been a total of $159 stolen so far in the NPM supply chain attack. These coins were sent to addresses tagged in the original write-up shared by Ledger's CTO. [image]
> do largest supply chain attack in history > potentially infect millions of apps > doesnt do the thing good > makes $0 from compromise I don't wanna support the villain here, but my guy, you gotta lock in. You could have infected hundreds of millions of apps and you FUMBLE IT [i…
A good reminder: 1. npm and other package managers are ripe for supply chain attacks. You should expect packages to be silently compromised and guard against them 2. Crypto wallets are easier to hack than fiat payment methods. More risk at being hacked: a risk of using crypto
If you use a Ledger or hardware wallet with clear signing, you are not at risk. My tweet above is warning people who do not use a hardware wallet with clear signing of the risk. Always review every transaction before you sign.
ATTACK UPDATE: A massive supply-chain compromise has affected packages with over 2 billion weekly downloads, targeting *CRYPTO* Here's how it works 👇 1) Injects itself into the browser Hooks core functions like fetch, XMLHttpRequest, and wallet APIs (window.ethereum, Solana,
Regarding the recent NPM supply-chain attack: Both Jupiter and Jup Mobile users are completely unaffected by the vulnerability. We've confirmed across the source code that none of the affected package-versions exist in any Jupiter product. Users are safe ✅
Yep, I've been pwned. 2FA reset email, looked very legitimate. — Only NPM affected. I've sent an email off to @npmjs.bsky.social to see if I can get access again. — Sorry everyone, I should have paid more attention. Not like me; have had a stressful week. Will work to get…
you may have heard about a supply chain attack on a number of packages distributed on npm. a quick update: — 1. nuxt is not vulnerable. — we do not ship code into client/server from these particular packages (this attack required running in the browser) — www.aikido.dev/bl…
NPM has yet to respond to any of this, but it appears at least 'debug"s malicious package version has been yanked. — I contacted @porkbun.com about the phishing domain and called support to have it escalated. — Nothing I can do but sit and wait right now. Sorry folks.
2. The attack works by targeting users of browser extensions like MetaMask, patching ‘fetch’ and ‘XMLHttpRequest’ to steal crypto (excellent write-up here: jdstaerk.substack.com/p/we-just- fo...)
I suspect we're in the twilight period of traditional software development, and that an increasing number of successful supply chain attacks like this will be the driver towards fundamental shifts towards paranoia about dependencies and formal verification. — jdstaerk.substack.…
Message from NPM: — “All impacted package versions have been taken down. I'll be in touch when we have more information regarding account recovery.” — I've requested further information about which packages were published, their versions, and all account actions NPM took.
Crashing out at how poorly npm (Microsoft) is handling this security incident. Eleventy is not affected any more but *lots* of other tools in the JavaScript ecosystem are! — Hours later and the compromised package versions are still public... Maybe don't install anything from…