Attackers successfully injected malicious code into hundreds of popular npm packages, potentially affecting millions of JavaScript developers worldwide.
A sophisticated supply chain attack has compromised over 500 npm packages, injecting malicious code that steals environment variables, cryptographic keys, and authentication tokens from developer machines running the affected packages.
The attack was carried out by compromising the accounts of package maintainers through credential stuffing attacks using previously leaked passwords. The attackers then published malicious updates to popular packages, which were automatically downloaded by developers and CI/CD pipelines worldwide.
The malicious code executes during package installation and silently transmits sensitive data to attacker-controlled servers hosted across multiple countries to complicate attribution and takedown efforts.
Security researchers estimate the attack may have affected systems at thousands of organizations worldwide. npm has revoked the malicious package versions and is implementing additional security measures including mandatory multi-factor authentication for all package publishers with high download counts.
Developers are advised to audit their package dependencies immediately, rotate any secrets that may have been exposed, and implement software composition analysis tools in their development pipelines to detect future supply chain compromises.