Supply chain, Incident Response

Impact of sweeping npm supply chain compromise minimal

(Credit: Araki Illustrations – stock.adobe.com)

Despite the successful malware poisoning attack against over a dozen widely used npm packages with over 2 billion cumulative weekly downloads, threat actors were only able to pilfer $1,027 worth of cryptocurrency from the intrusion that was discovered earlier this week, CyberScoop reports.

Such an incident stemmed from the social engineering compromise of software package developer and maintainer Josh Junon's npm account, allowing the attacker to inject malicious payloads into 18 packages, including chalk, debug, ansi-styles, and supports-color. However, npm's takedown of the illicit packages within a six-hour period has helped prevent further compromise.

Cybersecurity researchers were also able to immediately detect the threat due to attackers' deficient usage of a popular obfuscator, said JFrog's Andrey Polkovnichenko.

"The overall blast radius of the attack was relatively small, it was caught quickly, and the incident response process worked as intended. Thats a good news story, not a horror story," said Tanium Senior Director of Security and Product Design Research Melissa Bischoping.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms of Use and Privacy Policy.

You can skip this ad in 5 seconds