On Tuesday, a single phishing email let a threat actor compromise over 18 npm packages downloaded nearly 2 billion times a week, a breach so massive some researchers are calling it the biggest software supply chain compromise in history.
With that kind of access, they could have planted backdoors, stolen API keys, or sabotaged thousands of applications. Instead, they injected noisy crypto-stealer malware. After the dust settled, the attackers made off with just $500.
npm is a massively valuable target for cybercriminals. npm (node package manager) is the central repository for JavaScript and Node.js packages. Developers and automated systems like CI/CD pipelines constantly pull in npm dependencies.
Just one compromised package could spread down the supply chain to compromise potentially millions of applications.
Fortunately, this attack was detected in under an hour by security researchers. Malicious versions of the packages were swiftly removed and major cloud infrastructure hosting providers like Vercel began purging build caches and notifying customers to rebuild with clean versions.
At time of writing, it appears the outcome of the attack has been limited, with only around $500 USD of cryptocurrency actually stolen.
So, What Actually Happened?
On Tuesday September 8, the security research team at Aikido Security detected “a series of packages…which appeared to contains [sic] malicious code.”
NPM developer Josh Junon, also known as Qix, later confirmed that he had been ‘pwned’ by a phishing email which impersonated a support ticket asking him to update his 2FA credentials.
Qix maintains many of the most popular npm packages. With his credentials, the threat actor was able to inject malicious crypto-stealing malware into packages downloaded almost 2 billions times per week.
The malware worked by hijacking Web3 wallet interactions and replacing destination addresses with attacker-controlled ones. It also used string-matching logic to replaces targets with look-alike values to avoid detection.
Luckily, the malicious code was noisy and found swiftly by security researchers, meaning there was very little scope for widespread compromise.
Crypto-stealing malware also only works if the target is actively using a Web3 wallet in the browser, which the backend/server developers downloading these packages are unlikely to have done.
Security researcher @4484 built a tracking dashboard for the attackers wallet addresses, which at the time of writing shows just $505.45 USD.
Researchers at Socket and Sonatype have reported that the same attackers also compromised another npm maintainer, duckdb_admin, to spread malicious code further.
If you believe you or your applications have been affected, security researchers at the Observations Substack recommend that you: ‘Immediately audit your project’s dependencies. Pin all affected packages to their last known-safe versions using the overrides feature in package.json.’
Threat researchers at Aikido recommend:
- Checking the versions you are using
- Cleaning your npm cache
- Reinstalling all packages in your repository
- Making sure you use a package lock file, and using pinned versions
Why This Matters
This particular attack feels like a near miss. A more serious or malicious threat actor that hid their tracks better could have planted backdoors, stolen API keys, or pursued a long-term persistence strategy.
This breach could have been colossal, but instead, it looks like a missed opportunity.
As @_SEAL_Org wrote on X: “This could’ve been much worse.”
The key lesson: securing the software supply chain must be a priority.
This week, CISA has provided new guidance for software vendors and operators on the importance of implementing Software Bill Of Materials (SBOM) to secure software supply chains and their components.
Often referred to as an “ingredients list,” SBOMs provide organizations with visibility into software dependencies.
SBOM makes it easier to track vulnerabilities when they appear and helps teams to catch and fix potential risks, like this attack, much more quickly.
Keep Reading
