Massive npm Supply‑Chain Attack Compromises Hundreds of Packages
Key Points
- Hackers used a phishing email to steal a maintainer's 2FA credentials.
- Compromised nearly two dozen npm packages used in billions of weekly downloads.
- Malicious code (over 280 lines) was added to redirect cryptocurrency payments.
- Affected packages are foundational, amplifying the attack's blast radius.
- Security firm Socket calls the operation a targeted supply‑chain attack.
Hackers orchestrated what is likely the largest supply‑chain attack ever 2 billion weekly npm downloads, compromising nearly two dozen open‑source packages. The breach began with a phishing email that tricked maintainer "Qix" into revealing his two‑factor authentication credentials. Within an hour, malicious code was added to dozens of packages, enabling the theft of cryptocurrency by monitoring transactions and redirecting payments to attacker‑controlled wallets. Researchers say the targeted selection of foundational JavaScript libraries vastly expands the attack’s reach across the ecosystem.
Overview of the Attack
Security researchers have identified a coordinated supply‑chain compromise affecting the npm repository, which serves more than 2 billion weekly downloads of JavaScript code. The breach involved the insertion of malicious code into nearly two dozen packages that are widely used across the open‑source ecosystem.
How the Intrusion Occurred
The attackers began by sending a phishing email that appeared to come from a domain created to mimic the official npm support address. The message warned the maintainer, known online as Qix, that his account would be closed unless he logged in and updated his two‑factor authentication (2FA) details. Falling for the ruse, Qix entered his credentials, giving the attackers access to his npm account.
Rapid Deployment of Malicious Code
Within roughly an hour of gaining access, the intruders pushed updates to dozens of packages under Qix’s stewardship. The added code, spanning more than 280 lines, monitors infected systems for cryptocurrency transactions and automatically redirects the payments to wallets controlled by the attackers.
Scope and Impact
The compromised packages include several foundational libraries that are both directly used and indirectly required by thousands of other npm packages. Because many projects depend on these core components, the malicious versions have the potential to affect a vast number of applications, libraries, and frameworks worldwide.
Expert Analysis
Security firm Socket highlighted the significant overlap with high‑profile projects, noting that the attackers deliberately targeted packages to maximize their reach. The researchers described the operation as a targeted attack designed to exploit the extensive dependency network inherent in modern software development.
Potential Consequences
Beyond the immediate risk of cryptocurrency theft, the incident underscores the vulnerability of open‑source supply chains to social engineering and credential compromise. It also raises concerns about the security of 2FA implementations when attackers can deceive developers through seemingly legitimate communications.