Cybercriminals Walk Away Empty-Handed Following Major NPM Supply Chain Attack

ByAdmin

The largest supply-chain compromise in the history of the NPM ecosystem has impacted approximately 10% of all cloud environments, yet the attacker made minimal profit from the incident. The attack occurred earlier this week when maintainer Josh Junon, known as Qix, fell victim to a password reset phishing lure, compromising several highly popular NPM packages, including Chalk and Debug-js, which collectively account for over 2.6 billion weekly downloads. After gaining access to Junon’s account, the attackers pushed malicious updates containing a module that redirected cryptocurrency transactions to their own wallets. Fortunately, the open-source software community quickly identified the attack, and all malicious packages were removed within two hours.

According to researchers at cloud security company Wiz, one or more of the compromised packages, which serve as fundamental building blocks for nearly any JavaScript or Node project, were utilised in 99% of cloud environments. During the two-hour window in which the malicious versions were available for download, approximately 10% of cloud environments pulled the compromised packages. Wiz explained that this rapid spread illustrates how quickly malicious code can propagate in supply chain attacks. Although the attack caused significant disruption, requiring companies to invest considerable time in cleanups, rebuilding, and auditing, the overall security implications remained negligible, as did the threat actor’s profit. An analysis by Security Alliance revealed that the injected code targeted browser environments, hooking Ethereum and Solana signing requests and swapping cryptocurrency wallet addresses with those controlled by the attacker. Despite the scale of the attack, the attackers only managed to divert a mere five cents worth of Ethereum and $20 worth of an obscure memecoin. Additionally, researchers from Socket reported that the same phishing campaign also compromised DuckDB’s maintainer account, affecting its packages with the same crypto-stealing code. The profits traced to the attackers’ wallets totalled approximately $429 in Ethereum, $46 in Solana, and small amounts in Bitcoin, Tron, Bitcoin Cash, and Litecoin, culminating in around $600. It was also noted that the attackers’ wallet addresses holding significant amounts have been flagged, limiting their ability to cash out. 

Categories: Supply Chain Attack, Cryptocurrency Theft, Open Source Security 

Tags: Supply-Chain, Compromise, NPM, Attack, Malicious, Packages, Cryptocurrency, Cloud, Security, Phishing 

Leave a Reply

Your email address will not be published. Required fields are marked *