Hackers Hijack npm Packages With 2 Billion Weekly Downloads in Supply Chain Attack (bleepingcomputer.com) 47
An anonymous reader shares a report: In what is being called the largest supply chain attack in history, attackers have injected malware into NPM packages with over 2.6 billion weekly downloads after compromising a maintainer's account in a phishing attack.
The package maintainer whose accounts were hijacked in this supply-chain attack confirmed the incident earlier today, stating that he was aware of the compromise and adding that the phishing email came from support [at] npmjs [dot] help, a domain that hosts a website impersonating the legitimate npmjs.com domain.
In the emails, the attackers threatened that the targeted maintainers' accounts would be locked on September 10th, 2025, as a scare tactic to get them to click on the link redirecting them to the phishing sites.
The package maintainer whose accounts were hijacked in this supply-chain attack confirmed the incident earlier today, stating that he was aware of the compromise and adding that the phishing email came from support [at] npmjs [dot] help, a domain that hosts a website impersonating the legitimate npmjs.com domain.
In the emails, the attackers threatened that the targeted maintainers' accounts would be locked on September 10th, 2025, as a scare tactic to get them to click on the link redirecting them to the phishing sites.
The package maintainer? (Score:2)
Re:The package maintainer? (Score:4, Insightful)
Seems the whole JavaScript ecosystem is mediocre and worse (with apologies to the people that are the rare exceptions that can be found anywhere).
Think in probabilities (Score:2, Informative)
If there is a 0.001 chance an individual NPM package has issues, using 10 packages gives a greater than 1% chance and using 20 packages give a greater than 2% chance.
A react hello world package uses 2839 packages https://medium.com/frontendweb... [medium.com]
Re: (Score:2)
Thus 2839 packages give you 283.9% chance one is compromised?
Re: (Score:2)
That's a lot. I just checked a couple of old Vue apps I've got - so not quite 'hello world', but not super advanced either. They have about 800 packages or so. Certainly pushes the chances of using one of these malware packages pretty high, but seemingly not as bad as React (which always struck me as an over-engineered solution to most problems).
FWIW, I've never liked nodejs in production. It's actually quite nice in the dev tool chain though. Both nodejs and NPM which goes with it are really a bit of a ces
Re: (Score:2)
It's really a question of what's the chance that any one package in the hundreds (thousands?) your solution is using directly or indirectly has
- A critical unfixed bug ...
- A dependency or code which will break on end of life of a language feature, library, system API call,
- The package will be taken over and malware injected into the code
- The package will become unmaintained or bump version number only zombie maintained
- The package license will be changed for commercialization or require server side runt
You ARE the weakest link (Score:5, Insightful)
Re:You ARE the weakest link (Score:5, Insightful)
It has always been an asymmetric fight. And that is not going to change. With LLMs now writing apparently quite reasonable malware (for malware it does not matter if it is insecure or you have to write 20 different versions before one works), the conflict is going to get even more asymmetrical and the pressure on crapware makers will increase.
This attack is one reason, professional admin work uses dedicated machines and sign-offs by a 2nd admin for everything. Amateur-level procedures have really run their course and do not cut it anymore.
Re: (Score:2)
Amateur-level procedures have really run their course and do not cut it anymore.
Do you want to bet on the percentage of Fortune 500 companies that use amateur-level procedures for their prod systems?
"Above 50%" seems like a guaranteed win to me.
"Above 75%" is where I start to think "maybe not that high". But I fear I'm giving them too much credit.
Re:You ARE the weakest link (Score:5, Informative)
So long as companies continue to send out suspicious looking emails they will be conditioning users to fall for the phishing.
I've lost track of the number of legit companies that sent me mails which looked like phishing - instructions to click links, enter passwords etc. They act all indignant when you report the suspicious emails as phishing.
And another problem is not using the infrastructure that already exists - S/MIME has been around for years, supported OOTB by outlook, android mail app, apple mail app etc.Yet you get treated with suspicion if you sign your mails, and many companies go so far as to implement poorly designed "security features" that directly conflict - eg rewriting all links to forward to a useless link checker site which obviously invalidates the signature every time.
Re:You ARE the weakest link (Score:4, Informative)
And don't even get me started on the "secure messaging" applications a lot of companies use... Instead of emailing you the content/file directly, it sends you a link to sign up to some "secure email" site, from which you can download the actual content.
1) the notification looks like a phishing attempt because it invites you to click a link and login/register somewhere
2) the purpose of the system is to not send the content over unencrypted email, however since you register to the system (and reset your password) using your email address, anyone who is in a position to intercept your email is also in a position to gain access to the supposed "secure email" system, so it totally fails at what it was trying to achieve.
All you've achieved is some worthless theatre, while also encouraging users to click on links and enter credentials into random sites.
Re: You ARE the weakest link (Score:3)
you register to the system (and reset your password) using your email address, anyone who is in a position to intercept your email is also in a position to gain access to the supposed "secure email" system, so it totally fails at what it was trying to achieve.
You're missing the whole fucking point of those systems.
Yes, access to the email is access to the content - for a limited time. If your account was compromised, the links from last week don't work. Those systems don't allow you to refresh a link yourself, and you'd have to email whoever sent it to ask for a new one. At least some activity that could lead to discovery of a compromised account instead of passively slurping up years of emails attachments.
The other purpose is delivery confirmation. Not just ope
Re: (Score:3)
I manage my own domain and create aliases for each online account I create. Two years ago, an airline I used to fly with got hacked and my e-mail with the template $AIRLINE.customer.$RANDOM@mydomain.com started getting spam. I deleted this alias and created a new account, but I also created a catchall on the domain then forgot about it.
Last week I opened the catchall inbox. I found a series of very well designed phishing emails. It's something like "tribunal of $MY_DISTRICT has pending process 123ZYX654, wi
Re: (Score:2)
I manage my own domain and create aliases for each online account I create.
I do a very similar thing with my email domain, using both aliases and catchall. And I get tons of spam in my catch-all to made-up addresses. Lots of the same ones over and over. Eventually I create aliases for the largest offenders and route those to a particular mailbox I hope fills up and stops receiving.
The most infuriating was when PayPal accounts (spit!) started getting opened to addresses in my domain. No way anyone can receive those to complete the registration validations. Well, no way I think, w
Re: (Score:2)
Sheesh. Anti-Phishing training is so hard to do effectively.
It is impossible to do now that half of what we have always considered clear indicators of a scam or phishing attempt are actually being done by actual companies.
Re: (Score:2)
Re: (Score:2)
because users don't cache local copies
I think it's because the language and packages are so unstable that this is necessary. Why bother caching anything if it's going to be broken in a few weeks?
Re: (Score:2)
Wait a minute. Javascript, the language this thread is all about is incredibly stable. It has to be as it's baked into all browsers and any breaking change would piss off millions of users. JS is a stable as C or C++.
Packages? Not so much.
Re: (Score:2)
it's baked into all browsers and any breaking change would piss off millions of users.
Are these the same browers that web sites are continuously telling me are out of date? The warnings which I can by pass by turning off JavaScript? Those browsers? That JavaScript?
Re: (Score:2)
Why bother caching anything if it's going to be broken in a few weeks?
..... because it's going to be broken in a few weeks?
The penalties for phishing need to be bigger... (Score:2)
Drop a nuke on their house...
Re: (Score:3)
Stupid comment is stupid. If you know who does it, you can either simply have then arrested or any attack would start WW3.
Re: The penalties for phishing need to be bigger.. (Score:2)
Single-person dependencies are not good (Score:5, Insightful)
At the very least anything that goes into production should have a 2nd person review and sign-off on it. That tends to curb this kind of thing. On the other hand, maybe NPM is just a toy collection without quality, security and reliability? Given that it is JavaScript, that seems likely.
Re:Single-person dependencies are not good (Score:4, Interesting)
Look how many "security tools" invite you to download an arbitrary script with curl, and then pipe it to a shell running as root, for example:
https://github.com/pry0cc/axio... [github.com]
And then what does that script do? Follow best practices for installing software on the target platforms? /usr/bin with things it's pulled from another site: /usr/bin/jq https://github.com/stedolan/jq... [github.com] && sudo chmod +x /usr/bin/jq
Nooo..
It does ridiculous things like blindly overwrite files in
sudo wget -q -O
Packge management? Installing things into its own prefix? Installing things as non root? Nah throw all that out the window and blindly clobber files on the system...
Re: Single-person dependencies are not good (Score:3)
Re: (Score:1)
You do not need AV on Linux if you know what you are doing. You need to do stupid things on Linux to let malware in. If you have no clue, Linux will not save your beacon.
Re: (Score:2)
Thats the problem..
20 years ago only people who knew what they were doing ran linux.
Now you have clueless users running it too.
Re: (Score:2)
There are a lot of crappy "IT security experts" that have really no clue. Most cannot code at all and many of those that can have no clue about secure coding, system security or network security. Comes from there being way too few real experts and they are all expensive.
Re: (Score:2)
Yes there are too many "how to be script kiddie" certifications, and people will memorise the answers to these exams while having no clue how the underlying systems work.
Re: (Score:2)
In short yes, NPM is a toy. This is unfortunate because it's the only reasonable automated way to get a couple of packages which I am pulling in as dependencies.
Re: (Score:2)
Well. At some time not to far into the future, messes like that will need to be decommissioned or cleaned up. The cost of not doing that is getting way too high.
Too much of the internet is auto updated (Score:3)
Re: (Score:2)
That basically happened. It was called Windows 11.
Re: (Score:2)
"It'll be the last version, we swear..."
2FA should be mandatory for package maintainers... (Score:3)
Anyone who uploads packages to NPM should be required to have 2FA on their accounts (and the good kind of 2FA that can't be hacked like TOTP not weak 2FA like SMS 2FA or email 2FA)
Would such a thing make hacking NPM maintainer accounts (via phishing or otherwise) impossible? No. But it would go a long way to making it harder for the hackers.
Illiterate grandmother (Score:3)
With half of businesses, outsourcing security services to the other half, I know that legit warning emails from strangers are common. But this is 'illiterate grandmother' level of stupidity: One wonders how robust his software is?
malware delivery system (Score:2)
But the "m" in npm always stood for "malware", did it not?
The npm ecosystem is deeply flawed. Look at some of the affected repositories. Many of them are just a few lines of code, yet over a hundred other packages depend on them. At least half of them have no reason to even exist. A lot of them have last been updated years ago.
We have an ecosystem where seemingly every individual function has its own package. That is just ridiculous. It is modularization driven to its absurd extreme. It's why you add one pa
Re: (Score:2)
Having worked with Nodejs for the last couple of years, +10 to your comment. I just got laid off, my hope is that I can avoid Nodejs in the next job.
It's gotten worse. Crowd Strike next (Score:2)