Login
At least 18 popular JavaScript code packages that are collectively downloaded more than two billion times each week were briefly compromised with malicious software today, after a developer involved in maintaining the projects was phished. The attack appears to have been quickly contained and was narrowly focused on stealing cryptocurrency. But experts warn that a similar attack with a slightly more nefarious payload could lead to a disruptive malware outbreak that is far more difficult to detect and restrain.
This phishing email lured a developer into logging in at a fake NPM website and supplying a one-time token for two-factor authentication. The phishers then used that developerβs NPM account to add malicious code to at least 18 popular JavaScript code packages.
Aikido is a security firm in Belgium that monitors new code updates to major open-source code repositories, scanning any code updates for suspicious and malicious code. In a blog post published today, Aikido said its systems found malicious code had been added to at least 18 widely-used code libraries available on NPM (short for) βNode Package Manager,β which acts as a central hub for JavaScript development and the latest updates to widely-used JavaScript components.
JavaScript is a powerful web-based scripting language used by countless websites to build a more interactive experience with users, such as entering data into a form. But thereβs no need for each website developer to build a program from scratch for entering data into a form when they can just reuse already existing packages of code at NPM that are specifically designed for that purpose.
Unfortunately, if cybercriminals manage to phish NPM credentials from developers, they can introduce malicious code that allows attackers to fundamentally control what people see in their web browser when they visit a website that uses one of the affected code libraries.
According to Aikido, the attackers injected a piece of code that silently intercepts cryptocurrency activity in the browser, βmanipulates wallet interactions, and rewrites payment destinations so that funds and approvals are redirected to attacker-controlled accounts without any obvious signs to the user.β
βThis malware is essentially a browser-based interceptor that hijacks both network traffic and application APIs,β Aikido researcher Charlie Eriksen wrote. βWhat makes it dangerous is that it operates at multiple layers: Altering content shown on websites, tampering with API calls, and manipulating what usersβ apps believe they are signing. Even if the interface looks correct, the underlying transaction can be redirected in the background.β
Aikido said it used the social network Bsky to notify the affected developer, Josh Junon, who quickly replied that he was aware of having just been phished. The phishing email that Junon fell for was part of a larger campaign that spoofed NPM and told recipients they were required to update their two-factor authentication (2FA) credentials. The phishing site mimicked NPMβs login page, and intercepted Junonβs credentials and 2FA token. Once logged in, the phishers then changed the email address on file for Junonβs NPM account, temporarily locking him out.
Aikido notified the maintainer on Bluesky, who replied at 15:15 UTC that he was aware of being compromised, and starting to clean up the compromised packages.
Junon also issued a mea culpa on HackerNews, telling the communityβs coder-heavy readership, βHi, yep I got pwned.β
βIt looks and feels a bit like a targeted attack,β Junon wrote. βSorry everyone, very embarrassing.β
Philippe Caturegli, βchief hacking officerβ at the security consultancy Seralys, observed that the attackers appear to have registered their spoofed website β npmjs[.]help β just two days before sending the phishing email. The spoofed website used services from dnsexit[.]com, a βdynamic DNSβ company that also offers β100% freeβ domain names that can instantly be pointed at any IP address controlled by the user.
Junonβs mea cupla on Hackernews today listed the affected packages.
Caturegli said itβs remarkable that the attackers in this case were not more ambitious or malicious with their code modifications.
βThe crazy part is they compromised billions of websites and apps just to target a couple of cryptocurrency things,β he said. βThis was a supply chain attack, and it could easily have been something much worse than crypto harvesting.β
Aikidoβs Eriksen agreed, saying countless websites dodged a bullet because this incident was handled in a matter of hours. As an example of how these supply-chain attacks can escalate quickly, Eriksen pointed to another compromise of an NPM developer in late August that added malware to βnx,β an open-source code development toolkit with as many as six million weekly downloads.
In the nx compromise, the attackers introduced code that scoured the userβs device for authentication tokens from programmer destinations like GitHub and NPM, as well as SSH and API keys. But instead of sending those stolen credentials to a central server controlled by the attackers, the malicious code created a new public repository in the victimβs GitHub account, and published the stolen data there for all the world to see and download.
Eriksen said coding platforms like GitHub and NPM should be doing more to ensure that any new code commits for broadly-used packages require a higher level of attestation that confirms the code in question was in fact submitted by the person who owns the account, and not just by that personβs account.
βMore popular packages should require attestation that it came through trusted provenance and not just randomly from some location on the Internet,β Eriksen said. βWhere does the package get uploaded from, by GitHub in response to a new pull request into the main branch, or somewhere else? In this case, they didnβt compromise the targetβs GitHub account. They didnβt touch that. They just uploaded a modified version that didnβt come where itβs expected to come from.β
Eriksen said code repository compromises can be devastating for developers, many of whom end up abandoning their projects entirely after such an incident.
βItβs unfortunate because one thing weβve seen is people have their projects get compromised and they say, βYou know what, I donβt have the energy for this and Iβm just going to deprecate the whole package,'β Eriksen said.
Kevin Beaumont, a frequently quoted security expert who writes about security incidents at the blog doublepulsar.com, has been following this story closely today in frequent updates to his account on Mastodon. Beaumont said the incident is a reminder that much of the planet still depends on code that is ultimately maintained by an exceedingly small number of people who are mostly overburdened and under-resourced.
βFor about the past 15 years every business has been developing apps by pulling in 178 interconnected libraries written by 24 people in a shed in Skegness,β Beaumont wrote on Mastodon. βFor about the past 2 years orgs have been buying AI vibe coding tools, where some exec screams βmake online shopβ into a computer and 389 libraries are added and an app is farted out. The output = if you want to own the worldβs companies, just phish one guy in Skegness.β
Image: https://infosec.exchange/@GossiTheDog@cyberplace.social.
Aikido recently launched a product that aims to help development teams ensure that every code library used is checked for malware before it can be used or installed. Nicholas Weaver, a researcher with the International Computer Science Institute, a nonprofit in Berkeley, Calif., said Aikidoβs new offering exists because many organizations are still one successful phishing attack away from a supply-chain nightmare.
Weaver said these types of supply-chain compromises will continue as long as people responsible for maintaining widely-used code continue to rely on phishable forms of 2FA.
βNPM should only support phish-proof authentication,β Weaver said, referring to physical security keys that are phish-proof β meaning that even if phishers manage to steal your username and password, they still canβt log in to your account without also possessing that physical key.
βAll critical infrastructure needs to use phish-proof 2FA, and given the dependencies in modern software, archives such as NPM are absolutely critical infrastructure,β Weaver said. βThat NPM does not require that all contributor accounts use security keys or similar 2FA methods should be considered negligence.β
FreshRSS 