A recent string of attacks on the npm (Node Package Manager) ecosystem has put developers and organizations on high alert. Threat actors are exploiting compromised developer accounts to inject malicious code into widely used packages, creating a dangerous software supply chain vulnerability. This new wave of attacks demonstrates a shift from traditional “typosquatting” to more sophisticated methods of compromising the integrity of trusted software.
In contrast to past attacks where malicious actors would publish packages with names similar to popular ones, these new campaigns focus on account takeover. Threat actors gain unauthorized access to the legitimate accounts of package maintainers, often through phishing scams or credential stuffing attacks. Once inside, they publish malicious versions of existing packages. Since these updates come from a trusted source, they bypass many of the checks that would flag a brand-new, suspicious package.
The malicious code is often obfuscated and designed to execute during the installation process, typically using postinstall scripts. These scripts can perform a range of harmful activities, from stealing sensitive data like API tokens, credentials, and cryptocurrency wallet information to installing backdoors that provide attackers with persistent access to a developer’s machine.
Just last month, cybersecurity firm CrowdStrike reported a significant attack where threat actors compromised five popular npm packages, including a version of eslint-config-prettier with over 30 million weekly downloads. The compromised packages were modified to deliver a malicious DLL file, dubbed “Scavenger,” which was designed to steal a user’s npm authentication tokens and other browser data. This single incident highlights the immense scale and potential damage of such attacks, as one compromised package can quickly infect thousands of downstream projects.
Another attack, uncovered in May of this year, targeted users of the AI-powered code editor, Cursor. Three malicious npm packages were found to be backdoors, fetching encrypted payloads to steal user credentials and disable auto-updates to maintain persistence. These attacks demonstrate a trend of threat actors moving beyond simple data exfiltration to targeting the development environment itself, making them a more dangerous and persistent threat.
While security teams at npm and other organizations are working to combat this threat, developers must take proactive measures to protect themselves. Enabling two-factor authentication (2FA) on all developer accounts is the most critical step, as it prevents account takeovers even if credentials are stolen. Additionally, developers should use package-lock.json to enforce specific package versions and hashes, ensuring that their projects only use verified code. Finally, regularly auditing dependencies with tools like npm audit and using security scanning services can help detect and mitigate vulnerabilities before they cause harm.
