Software packages with more than 2 billion weekly downloads hit in supply-chain attack

The email message Junon fell for came from an email address at support.npmjs.help, a domain created three days ago to mimic the official npmjs.com used by npm. It said Junon’s account would be closed unless he updated information related to his 2FA—which requires users to present a physical security key or supply a one-time passcode provided by an authenticator app in addition to a password when logging in.

According to an analysis from security firm Akido, the malicious code injects itself into the web browser of infected systems and begins monitoring for transfers involving ethereum, bitcoin, solana, tron, litecoin, and bitcoin cash currencies. When such transactions are detected, the infected packages would then replace the destination wallets with attacker-controlled addresses. The malware worked by hooking JavaScript functions, including fetch, XMLHttpRequest, and wallet APIs. Hooking gives code control over functions so they can be stopped or altered at certain execution points.

Word of the attack on the npm repositories came as two other supply-chain attacks took aim at other repositories that are influential in the open-source software ecosystem. One, disclosed Friday by security firm GitGuardians, compromised 3,325 authentication secrets for accounts on PyPI, npm, DockerHUB, GitHub, Cloudflare, and Amazon Web Servcies. In all, 327 GitHub users across 817 repositories were affected.

In the attack, compromised maintainer accounts pushed package updates that added malicious GitHub Actions workflows that extracted tokens and other sorts of authentication secrets. As of Friday, GitGuardian said, nine npm and 15 PyPI packages were at risk of compromise.

A separate supply-chain attack also hit users of GitHub last month, security firm Wiz reported last week. It targeted Nx, an open source build system and repository management tool used in enterprise settings. The initial compromise started after obtaining a valid authentication token to an npm account.

The malicious code extracted GitHub and npm tokens stored on compromised systems. It also abuses AI command-line interfaces to identify additional files that may be useful for accessing repositories of interest. A second phase of the attack used the compromised GitHub tokens to expose private repositories by making them public on the victims’ GitHub profiles. The pilfered credentials were uploaded to GitHub repositories that contained the name s1ngularity-repository, forming the basis for the name s1ngularity that Wiz has given to the incident.

Enhance your driving experience with the P12 Pro 4K Mirror Dash Cam Smart Driving Assistant, featuring Front and Rear Cameras, Voice Control, Night Vision, and Parking Monitoring. With a 4.3/5-star rating from 2,070 reviews and over 1,000 units sold in the past month, it’s a top-rated choice for drivers. The dash cam comes with a 32GB Memory Card included, making it ready to use out of the box. Available now for just $119.99, plus a $20 coupon at checkout. Don’t miss out on this smart driving essential from Amazon!

Help Power Techcratic’s Future – Scan To Support

If Techcratic’s content and insights have helped you, consider giving back by supporting the platform with crypto. Every contribution makes a difference, whether it’s for high-quality content, server maintenance, or future updates. Techcratic is constantly evolving, and your support helps drive that progress.

As a solo operator who wears all the hats, creating content, managing the tech, and running the site, your support allows me to stay focused on delivering valuable resources. Your support keeps everything running smoothly and enables me to continue creating the content you love. I’m deeply grateful for your support, it truly means the world to me! Thank you!