🚨 URGENT: I can't write much..... but... the largest supply chain compromise in npm, Inc. history just happened, packages with a total of 2 billion weekly downloads just got turned malicious..... Packages were compromised 1 hour ago. Please share urgently ansi-styles (371.41m downloads per week) debug (357.6m downloads per week) backslash (0.26m downloads per week) chalk-template (3.9m downloads per week) supports-hyperlinks (19.2m downloads per week) has-ansi (12.1m downloads per week) simple-swizzle (26.26m downloads per week) color-string (27.48m downloads per week) error-ex (47.17m downloads per week) color-name (191.71m downloads per week) is-arrayish (73.8m downloads per week) slice-ansi (59.8m downloads per week) color-convert (193.5m downloads per week) wrap-ansi (197.99m downloads per week) ansi-regex (243.64m downloads per week) supports-color (287.1m downloads per week) strip-ansi (261.17m downloads per week) chalk (299.99m downloads per week) I'll give a more detailed post later... 😬 #malware #npm #supplychain #infosec #appsec #applicationsecurity
Response from maintainer on Hacker News https://news.ycombinator.com/item?id=45169657
More information on the phishing campaign. Unfortunately we are going to see a lot more of these https://github.com/orgs/community/discussions/172738
Our researcher Charlie Eriksen is in contact with the maintainer now. At the moment he doesn't have access to the NPM account. the phishing email came from support@npmjs[.]help
IMPORTANT UPDATE: The same threat actors have just compromised another packager from a different maintainer. This will likely be from the same phishing email, sadly I think we are going to see a lot of compromises this week. https://www.npmjs.com/package/proto-tinker-wc/v/0.1.87
This developers NPM account was compromised. No info on how yet https://www.npmjs.com/~qix
Thank you for the promptness in reporting this. Appreciate it.
Mackenzie Jackson keen to know if there’s any trials of crypto, we’d try to see what we can trace… any addresses left by the attacker?
Mackenzie Jackson I know this is not good news, but This information will help me to complete my project on Securing the Supply chain Compromise. Thanks for sharing
Developer and Security Advocate @ Aikido Security
1where is our blog post. I will be updated Live as we go https://www.aikido.dev/blog/npm-debug-and-chalk-packages-compromised