Hackers injected malicious code into npm packages with more than two billion weekly downloads, in what researchers say could be the largest open-source supply-chain attack to date.
The breach compromised nearly two dozen packages that are foundational to the JavaScript ecosystem and have thousands of downstream dependents.
The attackers breached the account of Josh Junon, a maintainer of several affected packages, after he was targeted by a phishing email that claimed his npm account would be closed unless he updated his two-factor authentication credentials.
Within about an hour of the compromise, those packages received updates that added code to siphon cryptocurrency funds, monitoring transactions and redirecting them to attacker-controlled wallets. The malicious addition ran to more than 280 lines of code and linked infected machines to attacker addresses.
Security researchers from Socket say the overlap with high-profile projects greatly expands the attack’s blast radius, and the incident appears to be a targeted attempt to maximize reach across the ecosystem. The npm team and researchers are coordinating incident response and remediation.
