The npm incident frightened everyone, but ended up being nothing to fret about
Security professionals and observers across the industry got swept into a pit of fear Monday when an attacker took over and injected malicious code into a series of widely used open-source packages in the node.js package manager, or npm. Despite all that worry, the disaster that many presumed a foregone conclusion was averted and the consequences of the supply-chain attack were short-lived and minimal.
Josh Junon, a developer and maintainer of the impacted software packages, took to social media early Monday to confirm his npm account was compromised via social engineering — a two-factor reset email that looked legitimate, he said. The attacker quickly posted updated software packages with payloads designed to intercept, manipulate and redirect cryptocurrency activity, according to researchers.
Apprehension fueled by the popularity of the 18 packages affected — capturing more than 2 billion downloads per week combined, according to Aikido Security — pushed some defenders to the brink of full-on freak-out mode. Ultimately, the open-source poisoning attack was successful, but impact was thwarted.
“There was a lot of fear, uncertainty, and doubt in sensationalized headlines about the attack,” Melissa Bischoping, senior director of security and product design research at Tanium, told CyberScoop. “The overall blast radius of the attack was relatively small, it was caught quickly, and the incident response process worked as intended. That’s a good news story, not a horror story.”
Junon said his account was restored about eight hours after he was duped by the social engineering attack, and infected versions of the packages were available for up to six hours before npm took them down and published stable versions. The most popular of the affected packages include ansi-styles, debug, chalk and supports-color.
Many expected the compromise would result in widespread cryptocurrency theft, but the downstream effects of the attack appear negligible. The attacker’s crypto address showed only $66.52, Arda Büyükkaya, senior cyber threat intelligent analyst at EclecticIQ, said in a LinkedIn post Monday.
Researchers at blockchain analytics platform Arkham have traced about $1,027 in stolen cryptocurrency to the attack as of Wednesday morning.
“While their motivation appears financial, it’s easy to see how this could have been catastrophic and reminds us of the XZ Utils breach in 2024 and others in recent memory,” Bischoping said.
Researchers from multiple security outfits described the compromise as the largest npm attack on record due to the potential scale of compromise. Fortunately, the attacker’s technical actions tipped off other developers.
“The attackers poorly used a widely known obfuscator, which led to immediate detection shortly after the malicious versions were published,” Andrey Polkovnichenko, security researcher at JFrog, said in a blog post.
While the initial wave of the attack was mostly stunted, researchers warn other npm maintainers were targeted and compromised by the same phishing campaign. Other packages known to be impacted include duckdb, proto-tinker-wc, prebid-universal-creative, prebid and prebid.js, Sonatype researchers said in a blog post Monday.
“The open-source community are so often the heroes in our industry,” Bischoping said. “The passion, dedication, and resilience of the open-source community provide value we all benefit from. Every organization should consider how they can better support, fund and contribute to open-source projects because without them the tech industry would suffer.”
