The largest supply-chain compromise in the history of the NPM ecosystem has impacted roughly 10% of all cloud environments, but the attacker made little profit off it.
The attack occurred earlier this week after maintainer Josh Junon (qix) fell for a password reset phishing lure and compromised multiple highly popular NPM packages, among them chalk and degub-js, that cumulatively have more than 2.6 billion weekly downloads.
After gaining access to Junon’s account, the attackers pushed malicious updates with a malicious module that stole cryptocurrency by redirecting transactions to the threat actor.
The open-source software community quickly discovered the attack, and all the malicious packages were removed within two hours.
According to researchers at cloud security company Wiz, one or more of the compromised packages, which are fundamental building blocks for nearly any JavaScript/Node project, were used in 99% of cloud environments.
During the two-hour window they were available for download, the compromised packages were pulled by roughly 10% of cloud environments.
“During the short 2-hour timeframe in which the malicious versions were available on npm, the malicious code successfully reached 1 in 10 cloud environments,” explained Wiz.
“This serves to demonstrate how fast malicious code can propagate in supply chain attacks like this one.”
Source: Wiz
The 10% figure is based on Wiz’s visibility into customer cloud environments, as well as public sources. While it may not be a representative percentage, it is still indicative of the fast spread and reach of the attack.
... continue reading