A supply chain attack was discovered on more than 40 npm packages in which threat actors injected malicious code via a standard bundle.js JavaScript file to weaponize legitimate tools like TruffleHog to steal credentials.Security pros were concerned about the attack, first outlined in a Sept. 15 Socket blog, saying that they exploit the inherent trust the industry has in the npm registry."This compromise highlights the danger of long-lived credentials in software supply chains,” said Mike Malone, chief executive officer of Smallstep. “By injecting malicious code into npm packages, attackers were able to harvest developer tokens and persist through build pipelines, turning trust itself into a weapon.”Nick Dixon, security operations and support manager at Blumira, added that the attack is concerning because of the chain reaction it kicks off: once a dev’s npm account gets compromised, the malware automatically spreads to other packages they maintain, and then potentially to any project making use of those packages.“It’s not a simple matter of stealing credentials and exfiltrating them, it’s setting up camp in affected systems through workflows that stick around even after mitigating the initial infection,” explained Dixon.Dixon said by the standards of CVSS rating, this would likely rate a 9.5/10 because it automatically propagates, targets high-value assets throughout the npm ecosystem, and executes stealthily, misusing legitimate tools like TruffleHog. “Also, given last month’s s1ngularity attack, there’s the possibility this is part of a larger campaign,” noted Dixon.Mike McGuire, senior security solutions manager at Black Duck, said incidents such as this serve as a stark reminder that software supply chains are only as strong as their weakest links.McGuire said organizations must adopt a proactive defense-in-depth approach: implement automated software composition analysis (SCA) to continuously monitor dependencies for vulnerabilities and malicious behavior; enforce strict package verification and provenance checks; and rotate credentials immediately upon detection of compromise.“Within my organization, we've seen a surge in such attacks, and without robust tools to map and secure your open source footprint, the risks to sensitive information, intellectual property, and operational integrity are simply too high to ignore,” said McGuire.Randolph Barr, chief Information security officer at Cequence Security, added that this incident underscores how the modern software supply chain can be turned against developers themselves. Barr said by trojanizing upstream packages and embedding tools like TruffleHog for credential harvesting, attackers are blurring the line between legitimate tooling and abuse.“This isn’t just about code quality, it’s about trust in the entire CI/CD pipeline,” said Barr.While organizations without a dedicated API security platform or runtime supply chain monitoring may feel limited, Barr said there are still practical, high-impact actions they can take:
- Pin dependencies to avoid unexpected package updates.
- Use tools like Snyk or OWASP Dependency-Check for SCA.
- Scan commits with Gitleaks or TruffleHog to prevent hardcoded secrets.
- Validate tokens using scoped access policies.
- Review build agent privileges to avoid overly broad access.
- Implement centralized logging to detect credential scanning or metadata probing.





