Cyberbedrohungen
What We Know About the NPM Supply Chain Attack
Trend™ Research outlines the critical details behind the ongoing NPM supply chain attack and offers essential steps to stay protected against potential compromise.
Save to Folio
Key takeaways
- Attackers reportedly launched a targeted phishing campaign to compromise Node Package Manager (NPM) maintainer accounts and inject malicious code into widely used JavaScript packages.
- Certain malicious packages covertly diverted cryptocurrency assets by hijacking web APIs and manipulating network traffic.
- One of the attack’s payloads is the Shai-hulud worm, which is delivered through compromised packages, steals cloud service tokens, deploys secret-scanning tools, and spreads to additional accounts.
- Based on Trend Micro’s telemetry, organizations across North America and Europe have been among the most affected.
- Trend Vision One™ detects and blocks the indicators of compromise (IOCs) outlined in this blog, and provides customers with tailored threat hunting queries, threat insights, and intelligence reports.
On September 15, the Node Package Manager (NPM) repository experienced an ongoing supply chain attack, in which the attackers executed a highly targeted phishing campaign to compromise the account of an NPM package maintainer. With privileged access, the attackers injected malicious code into widely used JavaScript packages, threatening the entire software ecosystem. Notably, the attack has disrupted several key NPM packages, including those integral to application development and cryptography.
According to StepSecurity, the malicious actors behind this incident used similar techniques with the Nx supply chain attack last month. As of September 16, researchers at Socket have already identified close to 500 impacted NPM packages.
In this blog entry, Trend™ Research details an overview of the recent NPM ecosystem compromises, what SOC teams need to know, and security recommendations to avoid this threat.
What types of packages are at risk
The malicious modifications were made to critical JavaScript libraries, including those supporting development frameworks and cryptographic functions. Packages impacted by this attack are those with extremely high global download rates – over 2.6 billion per week – affecting a vast ecosystem of web applications and dependent projects.
Attackers stole cryptocurrency assets
The attackers hijacked web APIs and manipulated network traffic as a means of covertly diverting funds from legitimate channels to wallets they controlled, targeting both organizations and end-users interacting with compromised packages.
What the Shai-hulud worm does
One of the payloads is a self-replicating worm, dubbed Shai-hulud after the sandworm in Dune, that was detected in the NPM registry. This worm spreads by compromising developer accounts and injecting harmful code into legitimate packages. Its primary capabilities include:
- Stealing cloud service tokens (NPM, GitHub, AWS, GCP)
- Installing Trufflehog, an open-source secret scanning tool, to search for exposed secrets
- Auto-spreading to additional packages and accounts
- Exposing private repositories
Who has been affected so far
Incidents have been reported across various countries, but primarily in North America and Europe. Organizations and developers that depend on widely adopted JavaScript libraries are among those most impacted.
How organizations can respond
To safeguard their development workflows and sensitive assets from the risks stemming from the ongoing NPM supply chain attack, organizations should prioritize a proactive security stance through the following best practices:
- Audit dependencies, focusing on recently updated packages. Review all dependencies, especially those recently modified, and remove or roll back any that appear compromised.
- Revoke and rotate credentials, especially for NPM accounts. Immediately revoke and replace any credentials or API keys that may have been exposed, prioritizing sensitive accounts.
- Monitor for evidence of Trufflehog and similar scanning tools in use. Check logs for any anomalous repository scanning activity and proactively scan your own codebase for exposed secrets.
- Stay updated with advisories from the official NPM registry and trusted sources. Regularly monitor official advisories to apply the latest fixes and recommended actions promptly.
- Tighten access and security policies. For example, apply the principle of least privilege for all accounts impacting repositories and automation. In addition, enforce multi-factor authentication (MFA) on all developer and CI/CD access points.
Note: This is a developing story. Trend Research will continue to monitor the situation and will update this blog post as soon as we confirm additional details.
Trend Vision One™ Threat Intelligence
To stay ahead of evolving threats, Trend customers can access Trend Vision One™ Threat Insights which provides the latest insights from Trend Research on emerging threats and threat actors.
Trend Vision One Threat Insights
- Emerging Threats: Massive NPM Supply-Chain Attack: Phishing Hijack Leads to Malicious JavaScript Injection
Trend Vision One Intelligence Reports (IOC Sweeping)
Hunting Queries
Trend Vision One Search App
Trend Vision One customers can use the Search App to match or hunt the malicious indicators mentioned in this blog post with data in their environment.
Detection of Malware payloads
malName: (*CRYPTOHIJACK* OR *SHULUD*) AND eventName: MALWARE_DETECTION
More hunting queries are available for Trend Vision One customers with Threat Insights entitlement enabled.
Indicators of Compromise (IoC)
The indicators of compromise for this entry can be found here.