Software Supply Chain Attack: 2B+ Downloads Affected
- A complex cyberattack compromised nearly two dozen open-source software packages on the npm registry, perhaps impacting a vast number of applications and developers worldwide.
- Hackers successfully injected malicious code into approximately 23 npm packages.
- The compromised packages are indirectly depended on by countless applications, libraries, and frameworks.
“`html
major supply Chain Attack Targets npm Packages, Affecting Billions of Downloads
Table of Contents
A complex cyberattack compromised nearly two dozen open-source software packages on the npm registry, perhaps impacting a vast number of applications and developers worldwide. The incident, revealed on Monday, appears to be a targeted effort to maximize reach within the software ecosystem.
Last updated: September 9, 2024, 09:13:11 AM PDT
What Happened?
Hackers successfully injected malicious code into approximately 23 npm packages. These packages collectively receive over 2 billion weekly downloads, indicating the scale of potential impact. The attack was discovered after security researchers noted unusual activity and alerted the community.
The compromised packages are indirectly depended on by countless applications, libraries, and frameworks. This means that even developers who didn’t directly use these packages could be affected if their projects rely on software that does.
Researchers believe this was a targeted attack, specifically designed to maximize its reach across the software progress landscape. The attackers aimed to compromise widely used components to infect as many downstream projects as possible.
How Did the Attack Work?
the attack vector involved a phishing campaign targeting Junon, a developer with access to several popular npm packages. The attackers sent an email from support.npmjs.help, a domain registered just three days prior to the attack, designed to mimic the official npmjs.com domain.
The email falsely claimed Junon’s account would be closed unless he updated his two-factor authentication (2FA) details. 2FA requires an extra layer of security beyond a password, typically a physical security key or a one-time code from an authenticator app. By tricking Junon into providing his credentials, the attackers gained control of his npm account and the ability to publish malicious updates to his packages.
Which Packages Were Affected?
while a comprehensive list is still being compiled, initial reports indicate the following packages were compromised (as of September 9, 2024):
| Package Name | Weekly Downloads (approx.) | Description |
|---|---|---|
colors |
1.8 million | Adds color to terminal output. |
http-cache-semantics |
1.2 million | Defines HTTP cache semantics. |
lodash |
1.1 million | Provides utility functions for common programming tasks. |
js-yaml |
900k | A YAML parser and serializer. |
| More packages are being identified | Data pending | Details forthcoming |
Note: Download numbers are approximate and subject to change.
What is the Impact?
The malicious code injected into these packages could potentially allow attackers to:
- Steal sensitive information from developers and end-users.
- Install malware on systems that use the compromised packages.
- Disrupt the functionality of applications that rely on the affected packages.
- Create backdoors for future attacks.
The widespread use of these packages means the potential impact is enormous, affecting countless organizations and individuals.
What Should Developers Do?
Developers are strongly advised to take the following steps:
- Audit your dependencies: Use tools like npm