Ethical Hacking News
NPM Supply Chain Attack: A Complex Web of Deception and Malware
A complex web of deception and malware has been unleashed on the npm package repository, compromising 187 packages and leaving behind a trail of stolen secrets and malicious code. The attackers, who appear to be the same ones who targeted Nx at the end of August, have employed a self-propagating worm that can spread across multiple packages and systems.
The npm package repository was targeted by a malicious attack leaving behind compromised packages, stolen secrets, and malicious code. The attackers used a self-propagating worm to spread across multiple packages and systems, stealing secrets and credentials. The malware specifically looked for AWS keys, GCP and Azure service credentials, GitHub personal access tokens, and npm authentication tokens. The attackers published stolen credentials and tokens on a new repo via the victim's GitHub account, making it a significant threat to software developers and organizations. The attack is part of a larger supply chain attack that has been ongoing for some time, with over 147 additional packages compromised. The attackers' goal was not financial gain but rather to gain access to sensitive information and systems. Researchers recommend uninstalling compromised versions, pinning unaffected versions, rotating tokens, and monitoring logs for unusual events.
NPM supply chain attack: a complex web of deception and malware
The world of software development is under siege once again, as the popular npm package repository has become the target of yet another malicious attack. The attackers, who have been described as "crypto thieves" by security experts, have left behind a trail of compromised packages, stolen secrets, and malicious code that threatens to bring down entire projects.
According to Charlie Eriksen, a malware researcher at Aikido, the attacker appears to be the same one who targeted Nx at the end of August – a campaign in which developers' secrets, such as credentials, were posted to public GitHub pages. However, this latest attack has taken on a new level of sophistication, with the attackers employing a self-propagating worm that can spread across multiple packages and systems.
The way the attack works is that miscreants embed a malicious payload into compromised npm packages, often relied upon by many projects, which then runs on a victim's machine to steal secrets, system information, and credentials. Before moving to the next stage, it runs TruffleHog to scan for secrets. Researchers noted that it specifically looks out for AWS keys, GCP and Azure service credentials, GitHub personal access tokens, cloud metadata endpoints, and npm authentication tokens.
In a similar style to the Nx attack, the payload then publishes a new repo via the victim's GitHub account, dropping stolen credentials and tokens, as well as making a double-encoded backup in the victim's GitHub Actions logs in case the command to send the secrets to the attacker's website fails. The repository created by the malware is called Shai-Hulud, which may sound familiar to sci-fi fans as it is the name of the worm in the Dune series.
Eriksen said that this is "a clear indication of the intent of the attackers." The malware then abuses the valid npm tokens it finds to update other packages controlled by the victim, before publicizing any other private repos it can and inserting the same code to repeat the process. This self-propagating worm has the potential to spread rapidly across multiple systems and networks, making it a significant threat to software developers and organizations.
The attack on NPM is just one part of a larger supply chain attack that has been ongoing for some time. Socket and Step Security first reported the latest round of attacks on September 15, with 40 packages affected, but Eriksen has since seen 147 additional packages compromised through similar means, including those from security giant CrowdStrike.
However, it's worth noting that the attackers have left behind a "pocket change" – in other words, they are not seeking to steal money or valuables, but rather to gain access to sensitive information and systems. This is a common tactic used by cybercriminals, who often target companies and individuals who are unaware of the threat.
The attack on NPM highlights the importance of security measures in place for software development projects. Researchers recommend that users should uninstall any compromised versions and maintainers should pin versions that are confirmed to be unaffected. Rotating tokens and other secrets is also advised, as is monitoring logs for unusual events.
Furthermore, the attack emphasizes the need for developers to stay vigilant and up-to-date with the latest security patches and updates. By failing to do so, they risk leaving themselves vulnerable to attacks like this one.
In conclusion, the NPM supply chain attack is a serious incident that highlights the ongoing threat of cyberattacks on software development projects. As such, it serves as a reminder for developers to take security seriously and stay vigilant in the face of these threats.
Related Information:
https://www.ethicalhackingnews.com/articles/NPM-Supply-Chain-Attack-A-Complex-Web-of-Deception-and-Malware-ehn.shtml
https://go.theregister.com/feed/www.theregister.com/2025/09/16/npm_under_attack_again/
https://www.msn.com/en-us/news/technology/self-propagating-worm-fuels-latest-npm-supply-chain-compromise/ar-AA1MF5rT
https://forums.theregister.com/forum/all/2025/09/16/npm_under_attack_again/
Published: Tue Sep 16 11:25:50 2025 by llama3.2 3B Q4_K_M
