Extensive npm Supply Chain Compromise Disclosed in Complex Phishing Scheme

Quick Overview

• A major phishing scheme on npm has jeopardized JavaScript packages with 2.7 billion downloads every week.
• The fraudulent emails appeared to come from “support@npmjs.help,” tricking developers into updating their 2FA credentials.
• Security firm Aikido discovered that the harmful code could capture cryptocurrency and web3 transactions in web browsers.
• This breach follows a similar incident involving the Nx package in August, revealing thousands of corporate secrets.

Phishing Attack Affects npm Developers

Recently, a complex phishing attack has focused on npm developers, marking one of the largest compromises in the supply chain to date. This attack featured deceptive emails that appeared to be sent by “support@npmjs.help,” prompting developers to refresh their two-factor authentication credentials. Tragically, one developer, Josh “qix” Junon, was deceived by this scheme, leading to the compromise of at least 18 well-known npm packages, which are downloaded approximately 2.7 billion times each week.

Example of npmjs.help phishing message

Marsup

Consequences of the Malicious Code

Security provider Aikido examined the malicious code and disclosed that it could function on a website’s client, covertly seizing crypto and web3 actions within browsers. The code alters wallet interactions and rewrites payment destinations, channeling funds and authorizations to accounts controlled by the attacker without any noticeable indications for the user. Although clean-up measures are in place, other developers continue to be vulnerable to attacks from the perpetrator.

Prior Attacks and Continuing Risks

This event comes in the wake of an attack on the Nx package in late August, known as “s1ngularity,” which took advantage of a flawed workflow to inject executable code into pull request titles. The npm security vendor Socket stated that artificial intelligence command line tools were exploited for local file system scans during this attack, resulting in the leakage and public disclosure of thousands of corporate secrets from over 1700 users on GitHub.

Conclusion

The npm supply chain breach highlights the necessity for developers to stay alert against phishing schemes and various cybersecurity threats. This event, along with earlier breaches, underscores the fragility of widely-used software tools and the potential for malicious individuals to misuse them for significant advantages.

Questions & Answers

Q: What exactly is npm?

A: npm refers to Node Package Manager, a repository that consists of over 2 million reusable code items utilized in JavaScript development.

Q: How did the phishing attack happen?

A: Developers received phishing emails from “support@npmjs.help” crafted to appear legitimate, requesting them to refresh their two-factor authentication credentials.

Q: What was the primary effect of the breach?

A: The breach led to the compromise of at least 18 popular npm packages, impacting approximately 2.7 billion weekly downloads.

Q: What is the functionality of the malicious code?

A: The code seizes crypto and web3 activities, modifies wallet interactions, and reroutes funds to accounts controlled by the attacker without user knowledge.

Q: Are developers still facing risks?

A: Yes, despite cleanup actions, other developers might still be targeted by the unidentified threat actor.

Q: What was the s1ngularity attack?

A: The s1ngularity attack involved exploiting a vulnerable process in the Nx package, resulting in the exposure of thousands of corporate secrets on GitHub.