Huge NPM Supply Chain Attack Goes Out With Whimper

Threat actors phished Qix's NPM account, then used their access to publish poisoned versions of 18 popular open-source packages accounting for more than 2 billion weekly downloads.

A supply chain attack involving multiple NPM packages had the potential to be one of the most impactful security incidents in recent memory, but such fears seemingly have proved unrealized.

On the morning of Sept. 8, threat actors compromised the node packet manager (NPM) account of prominent developer Qix through a successful phishing attack. The attackers used this access to publish poisoned versions of 18 popular open source packages accounting for more than 2 billion weekly downloads, including ansi-styles, debug, chalk, and supports-color. The packages were updated to include crypto-stealing malware, and for about two hours, all new downloads contained the malware.

The maintainer discovered the issue and took down the infected versions, but applications that integrated the packages had the potential to unleash significant downstream impact. While not nearly enough time has passed to take complete stock of an incident such as this, fears of a Log4j-style incident appear unfounded — at least for now.

Not Quite the Worst-Case Scenario

In a thread on X, JFrog observed that some other packages have been infected with the malware, either follow-on or separately, such as DuckDB. Even still, a blog post by security advocacy group Security Alliance claimed attackers have made barely any money from poisoned installs.

"Despite the magnitude of the breach, the attacker appears to have only 'stolen' around 5 cents of [cryptocurrency Etherium] and 20 USD of a memecoin with a whopping 588 USD of trading volume over the past 24 hours," the post read. "Indeed, it seems like the biggest financial impact of this entire incident will be the collective thousands of hours spent by engineering and security teams around the world working to clean compromised environments, and the millions of dollars of sales contracts that will inevitably be signed as a result of this new case study."

As for why the blast radius is so small, security researcher Florian Roth in a post to X said that it came down to a lack of competency on the part of the threat actors. "Since most companies run at least one React or Angular app, [the threat actors] had the opportunity to execute code on millions of systems across thousands of orgs. And they used it to drop an amateurishly obfuscated crypto stealer, got caught by basic detection rules, and the issue was remediated after two hours. I hope everyone understands how close this was — and can imagine what would've happened if someone with real skills had done it," Roth wrote.

Darren Meyer, security research advocate at Checkmarx Zero, tells Dark Reading that he felt the attacker was well organized, accomplished a high-quality phishing attack, and had malicious packages ready to go, and that the attacker's malware was technically accomplished. He also applauded Qix for acting transparently and quickly.

"I do not think people are overreacting: this bears the hallmarks of a skilled, organized, and motivated attacker, and it seems to be an ongoing and carefully managed attack," Meyer says. "The larger developer community is very fortunate that Qix noticed the issue and chose to respond with transparency, integrity, and urgency. But this underscores the need for organizations who rely on open source packages — which, these days, is pretty much everyone — to follow good supply-chain defense basics."

These basics, he says, include maintaining a private package repository, using supply chain security tools that take accurate inventories and look for signs of compromise, and using endpoint tools to limit scope of compromise should it occur.

Similarly, Mike McGuire, senior security solutions manager at Black Duck, cited the malware's multilayered operation as particularly alarming, specifically its "tampering with API calls and redirecting cryptocurrency transactions without user awareness."

How to Check for Signs of Compromise

In an email, JFrog Security chief technology officer (CTO) Asaf Karas tells Dark Reading that this issue accounts for "the largest NPM supply chain attack in history," even if the fallout appears minor.

"While the impact to organizations currently seems to be extremely minimal, this incident highlights how fragile the modern JavaScript ecosystem is, where half of the codebase is dependent on single-line utilities maintained by a single developer," Karas says.

And because the blast radius appears to be so wide, it may well be worth it for teams to ensure their environments haven't been affected.

In a blog, Wiz recommended searching lockfiles and registries for compromised package versions; checking telemetry and user reports for "unusual failures related to signing flows, unfamiliar spender addresses in ERC-20 approvals, and reports of redirected transfers"; conducting on-chain reviews for users active during the timeframe the poisoned packages were available; and checking JavaScript assets for signs of obfuscation code.

Teams should also blocklist affected package versions and override to known safe versions. They should also "keep the blocklist fresh daily while the campaign continues, including DuckDB and any newly reported packages."

Paul Jaramillo, managed detection and response director at Sophos, explains that while attack impact was limited, there are lessons to be learned.

"[The campaign] underscores the need to rigorously vet dependencies and test before releasing to production," he says. "Build environments should never automatically consume the latest versions of package dependencies without human oversight. Organizations should configure builds to use known-good package releases to avoid supply chain compromise."