Ethical Hacking News
A massive NPM supply-chain attack left hackers empty-handed, despite causing widespread disruption to cloud environments. The attackers stole less than $1,000 in cryptocurrency profits, highlighting the need for improved security measures in software supply chains.
The recent NPM supply-chain attack left hackers empty-handed despite causing significant disruption to cloud environments. The attackers compromised multiple highly popular NPM packages, including chalk and degub-js, through a password reset phishing lure. The malicious updates contained a module that stole cryptocurrency by redirecting transactions to the threat actor's wallet. Only 1 in 10 cloud environments were affected during its brief window of availability on npm. The attack had significant financial implications for companies, requiring hours for cleanups and rebuilding, but the attackers made less than $1,000 in cryptocurrency profits. The attackers' lack of sophistication and ambition prevented them from causing more serious security incidents. The attack highlights the need for better authentication protocols, regular security audits, and increased awareness among developers to prevent similar attacks.
The recent NPM supply-chain attack has left hackers empty-handed, despite causing significant disruption to cloud environments. The attack, which occurred earlier this week, targeted maintainer Josh Junon's account through a password reset phishing lure. This compromised multiple highly popular NPM packages, including chalk and degub-js, both of which have over 2.6 billion weekly downloads combined.
The malicious updates pushed by the attackers contained a malicious module that stole cryptocurrency by redirecting transactions to the threat actor's wallet. The open-source software community quickly discovered the attack, and all the malicious packages were removed within two hours. According to researchers at cloud security company Wiz, one or more of the compromised packages were used in 99% of cloud environments.
The malicious code successfully reached 1 in 10 cloud environments during its brief window of availability on npm. This serves as a stark reminder of how fast malicious code can propagate in supply chain attacks like this one. The attack's impact was significant, requiring companies to spend hours for cleanups, rebuilding, and auditing.
However, the security implications of the attack were negligible, just like the threat actor's profit. An analysis by Security Alliance revealed that the injected code targeted browser environments, hooking Ethereum and Solana signing requests. This allowed the attackers to swap cryptocurrency wallet addresses with their own, effectively crypto-jacking without causing any serious harm.
The type of payload used in the attack saved companies from a much more serious security incident. The threat actor could have used their access to plant reverse shells, move laterally on the network, or even plant destructive malware. The fact that they chose not to do so is a testament to the attackers' lack of sophistication and ambition.
Despite the massive scale of the attack and the numerous victims, the attackers made less than $1,000 in cryptocurrency profits. Socket researchers published a report yesterday, alerting that the same phishing campaign also impacted DuckDB's maintainer account, compromising the project's packages with the same crypto-stealing code.
According to them, the profits traced to the attackers' wallets are roughly $429 in Ethereum, $46 in Solana, and small amounts in Bitcoin, Tron, BCH, and LTC totaling $600. It is also noted that the attacker's wallet addresses that hold any significant amounts have been flagged, limiting their ability to convert or use the little money they made.
The attack has left many questions unanswered. How did the attackers manage to compromise Josh Junon's account in the first place? What was the scope of their knowledge and expertise before carrying out the attack? And what exactly were their motivations for this cyber heist?
One thing is certain: this attack serves as a stark reminder of the importance of robust security measures in our software supply chains. The attackers' ability to breach Josh Junon's account and push malicious updates onto npm highlights the need for better authentication protocols, regular security audits, and increased awareness among developers.
In conclusion, the NPM supply-chain attack may have been unsuccessful in terms of financial gain, but it has had a significant impact on the software community. It is crucial that we take this as an opportunity to reassess our security postures and implement more robust measures to prevent such attacks in the future.
A massive NPM supply-chain attack left hackers empty-handed, despite causing widespread disruption to cloud environments. The attackers stole less than $1,000 in cryptocurrency profits, highlighting the need for improved security measures in software supply chains.
Related Information:
https://www.ethicalhackingnews.com/articles/Hackers-Supply-Chain-Heist-A-Tale-of-Empty-Pockets-and-Cryptocurrency-Scams-ehn.shtml
https://www.bleepingcomputer.com/news/security/hackers-left-empty-handed-after-massive-npm-supply-chain-attack/
https://www.techspot.com/news/109399-massive-supply-chain-attack-compromised-open-source-js.html
https://arstechnica.com/security/2025/09/software-packages-with-more-than-2-billion-weekly-downloads-hit-in-supply-chain-attack/
https://checkmarx.com/zero-post/chalk-and-17-other-npm-packages-compromised-in-supply-chain-attack/
https://www.wiz.io/blog/widespread-npm-supply-chain-attack-breaking-down-impact-scope-across-debug-chalk
https://www.wiz.io/academy/malware-scanning
https://www.bleepingcomputer.com/news/security/ai-powered-malware-hit-2-180-github-accounts-in-s1ngularity-attack/
Published: Wed Sep 10 15:28:02 2025 by llama3.2 3B Q4_K_M
