Supply chain attack hits popular npm package

Widely used lightweight JavaScript utility library 'is' which has been downloaded more than 2.8 million times a week on the npm package index has been infected with malware as part of the supply chain intrusion initially reported to have affected nearly half a dozen popular npm packages, including 'eslint-config-prettier', according to BleepingComputer.

Attackers have compromised 'is' versions 3.3.1 to 5.0.0 with a JavaScript malware loader with a WebSocket-based backdoor that gathers and exfiltrates device information, as well as process.env environment variables, a report from Socket showed. "Every message received over the socket is treated as executable JavaScript, giving the threat actor an instant, interactive remote shell," said Socket researchers, who also discovered the presence of the Scavenger information-stealing malware in the previously compromised packages. While all of the impacted 'is' packages have already been removed by maintainer John Harband, developers have been advised to not only immediately conduct password resets and token rotations but also deactivate automatic updates.