Jeff Bruchado
Back to blog

Supply Chain Attack Affects 300+ NPM Packages: What Developers Need to Know

Hello HaWkers, a new supply chain attack has compromised over 300 packages in the NPM registry, potentially affecting thousands of JavaScript projects worldwide. This incident reinforces the importance of understanding how these attacks work and how to protect our projects.

Software supply chain security has become one of the industry's biggest concerns. Do you know how to check if your project was affected?

What Happened

The attack was discovered by security researchers who identified suspicious patterns in updates to seemingly legitimate packages. The attackers used sophisticated techniques to compromise maintainer accounts and inject malicious code into new versions of popular packages.

Incident timeline:

  • Initial phase: Compromise of maintainer credentials through targeted phishing
  • Propagation: Publication of malicious versions in high-dependency packages
  • Detection: Identification by automated code analysis tools
  • Response: Removal of compromised packages and token revocation

How Supply Chain Attacks Work

Supply chain attacks exploit the trust developers place in third-party dependencies. Instead of attacking your code directly, attackers compromise libraries you already use.

Common Attack Vectors

1. Typosquatting:
Creating packages with names similar to popular libraries. A distracted developer might install lodahs instead of lodash.

2. Dependency Confusion:
Exploiting private registry configurations that may accidentally fetch public packages.

3. Account Compromise:
Gaining access to maintainer accounts through phishing, credential leaks, or exposed tokens.

4. Malicious Maintainer:
A legitimate maintainer who decides to inject malicious code or sells access to their account.

Anatomy of Malicious Code

The injected code typically performs actions such as:

  • Exfiltration of environment variables (API keys, tokens)
  • Installation of backdoors in CI/CD systems
  • Cryptocurrency mining
  • Theft of stored credentials
  • Remote system access

How to Check If Your Project Was Affected

There are several tools and techniques to audit your dependencies:

# Check for known vulnerabilities
npm audit

# More detailed audit with automatic fix
npm audit fix

# Check production only
npm audit --production

# Generate JSON format report
npm audit --json > audit-report.json

For deeper analysis, use specialized tools:

# Install Socket CLI for supply chain analysis
npm install -g @socketsecurity/cli

# Analyze project dependencies
socket npm info

# Check specific packages
socket npm info lodash

Manual Verification Script

You can create a script to check your dependencies against lists of compromised packages:

// verify-dependencies.js
const { execSync } = require('child_process');
const fs = require('fs');

// List of known compromised packages
const compromisedPackages = [
  'example-malicious-1',
  'example-malicious-2',
  // Add packages from official list
];

function checkDependencies() {
  const packageJson = JSON.parse(fs.readFileSync('./package.json', 'utf8'));
  const allDeps = {
    ...packageJson.dependencies,
    ...packageJson.devDependencies
  };

  const found = [];

  for (const dep of Object.keys(allDeps)) {
    if (compromisedPackages.includes(dep)) {
      found.push(dep);
    }
  }

  if (found.length > 0) {
    console.error('ALERT: Compromised packages found:');
    found.forEach(pkg => console.error(`  - ${pkg}`));
    process.exit(1);
  }

  console.log('No compromised packages found in direct dependencies.');
  console.log('Run npm audit to check transitive dependencies.');
}

checkDependencies();

NPM Security Best Practices

Adopting a proactive security posture can prevent most supply chain attacks.

1. Always Commit Lockfiles

Lockfiles ensure everyone on the team and in CI/CD uses exactly the same versions:

# Always commit these files
git add package-lock.json
git add yarn.lock
git add pnpm-lock.yaml

2. Enable Two-Factor Authentication

If you maintain public packages, 2FA is essential:

# Enable 2FA on your NPM account
npm profile enable-2fa auth-and-writes

3. Use Fixed Versions in Production

Avoid version ranges in production:

{
  "dependencies": {
    "express": "4.18.2",
    "lodash": "4.17.21"
  }
}

4. Configure Private Registries Correctly

If using private registries, configure scopes explicitly:

# .npmrc
@your-company:registry=https://npm.your-company.com/
//npm.your-company.com/:_authToken=${NPM_TOKEN}

5. Implement CI/CD Verification

Add security checks to your pipeline:

# .github/workflows/security.yml
name: Security Check
on: [push, pull_request]

jobs:
  audit:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      - uses: actions/setup-node@v4
        with:
          node-version: '20'
      - run: npm ci
      - run: npm audit --audit-level=high
      - name: Check for known malicious packages
        run: npx socket-security/cli npm info

Continuous Monitoring Tools

Beyond point-in-time checks, monitor your dependencies continuously:

Dependabot (GitHub):

  • Automatic security updates
  • Real-time alerts
  • Automated pull requests

Snyk:

  • Deep vulnerability analysis
  • IDE integration
  • Continuous monitoring

Socket Security:

  • Supply chain attack detection
  • Package behavior analysis
  • Proactive alerts

Configuring Dependabot

# .github/dependabot.yml
version: 2
updates:
  - package-ecosystem: "npm"
    directory: "/"
    schedule:
      interval: "daily"
    open-pull-requests-limit: 10
    groups:
      production-dependencies:
        dependency-type: "production"
      development-dependencies:
        dependency-type: "development"

What to Do If Your Project Was Compromised

If you identified that your project used a compromised package:

1. Assess the Impact:

  • Check CI/CD logs for suspicious executions
  • Review recent commits for unexpected changes
  • Check environment variables that may have been exposed

2. Rotate Credentials:

  • API keys
  • Access tokens
  • Database passwords
  • Certificates

3. Update Dependencies:

# Remove node_modules and lockfile
rm -rf node_modules package-lock.json

# Reinstall with safe versions
npm install

# Verify again
npm audit

4. Notify Stakeholders:

  • Security team
  • Affected customers (if applicable)
  • Community (if you maintain a public package)

The Future of Package Registry Security

The JavaScript community is working on several initiatives to improve security:

Sigstore for NPM:
Cryptographic package signing allowing verification of authenticity and integrity.

Provenance Attestations:
GitHub and NPM now support attestations that prove a package was built from a specific repository.

Trusted Publishers:
A model where only verified pipelines can publish packages, eliminating the risk of compromised credentials.

This incident serves as a reminder that supply chain security should be a priority in any modern project. Don't wait to become a victim of an attack to implement proper security practices.

If you want to deepen your JavaScript security knowledge, I recommend checking out the article on Debugging JavaScript: Advanced DevTools Techniques where you'll learn techniques that also help identify suspicious behavior in your code.

Let's go! 🦅

Comments (0)

This article has no comments yet 😢. Be the first! 🚀🦅

Add comments