Top 20 npm Packages with 2 Billion Weekly Downloads Targeted in Supply Chain Attack
Multiple npm packages have been compromised due to a software supply chain attack following the phishing of maintainer Josh Junon, also known as Qix. Junon received a deceptive email from an address mimicking npm, urging him to update his two-factor authentication (2FA) credentials. The phishing page prompted him to enter his username, password, and 2FA token, which were subsequently stolen through an adversary-in-the-middle (AitM) attack. This breach allowed the attacker to publish a rogue version of the packages to the npm registry. A total of 20 packages, which collectively attract over 2 billion weekly downloads, have been confirmed as affected. Junon expressed regret over the incident, stating, “Sorry everyone, I should have paid more attention,” and acknowledged the need to rectify the situation.
Analysis of the obfuscated malware injected into the source code revealed its design to intercept cryptocurrency transaction requests. The malware swaps the destination wallet address with one controlled by the attacker, utilising the Levenshtein distance for matching. According to Aikido Security’s Charlie Eriksen, the payload functions as a browser-based interceptor, hijacking network traffic and application APIs to steal cryptocurrency assets. The malware targets end users with connected wallets who visit sites containing the compromised code. Developers are not the primary targets; however, they can also fall victim if they connect their wallets while accessing affected sites. This incident underscores the ongoing vulnerability of package ecosystems like npm and the Python Package Index (PyPI), highlighting the necessity for vigilance and the hardening of CI/CD pipelines to secure dependencies.
Categories: Cybersecurity Threats, Software Supply Chain Attacks, Malicious Code Injection
Tags: npm, Phishing, Two-Factor Authentication, Malware, Cryptocurrency, Supply Chain Attack, Rogue Packages, Interceptor, Typosquatting, CI/CD Pipelines