A significant supply-chain attack has allegedly targeted the npm ecosystem, the world’s largest software registry. Attackers successfully hijacked at least 20 popular JavaScript packages, which collectively account for over two billion weekly downloads. This incident has sent shockwaves through the developer community, as these packages are fundamental building blocks for countless web applications and services, making the potential impact widespread. The compromised packages are used by millions of developers and integrated into a vast number of projects, ranging from small personal websites to large-scale enterprise applications.
The attackers injected malicious code into the compromised packages, which was designed to steal cryptocurrency from end-users. The malware reportedly monitors for and intercepts transactions involving several major cryptocurrencies, including Bitcoin, Ethereum, and Solana. It achieves this by hijacking network traffic and application programming interfaces (APIs) to replace the intended recipient’s wallet address with one controlled by the attackers. This sophisticated attack highlights the inherent risks of modern software development, where applications often rely on a deep tree of third-party dependencies.
The hijacked packages include widely-used libraries that are essential for styling command-line output and debugging, such as:
- [email protected]
- [email protected] (appears to have been yanked as of 8 Sep 18:09 CEST)
- [email protected]
- [email protected]
- [email protected]
- [email protected]
- [email protected]
- [email protected]
- [email protected]
- [email protected]
- [email protected]
- [email protected]
- [email protected]
- [email protected]
- [email protected]
- [email protected]
- [email protected]
- [email protected]
