A significant security incident within the npm ecosystem was quickly resolved after a developer’s account was compromised, leading to the publication of malicious packages. On September 8, Josh Junon, a well-recognized developer with over 1,800 GitHub contributions in the past year, announced on Bluesky that his npm account had been hacked. He was alerted by other users who noticed the account was posting packages containing backdoors.
Junon, known in the developer community as ‘qix,’ explained that he received a seemingly legitimate email requesting a reset of his two-factor authentication (2FA), which turned out to be a malicious attempt to gain access. He confirmed that the breach was limited to his npm account and communicated with npm support to address the situation.
The compromised npm account released harmful versions of multiple packages that are integral to high-volume JavaScript projects, including:
- chalk (around 300 million weekly downloads)
- strip-ansi (approximately 261 million weekly downloads)
- color-convert (around 193 million weekly downloads)
- color-name (approximately 191 million weekly downloads)
- error-ex (about 47 million weekly downloads)
- simple-swizzle (approximately 26 million weekly downloads)
- has-ansi (around 12 million weekly downloads)
The malicious packages contained a sophisticated crypto-clipper that stealthily siphoned funds by altering wallet addresses during network transactions. The malware operated through two primary mechanisms: passive address-swapping and active transaction hijacking. If a crypto wallet extension, such as MetaMask, was present, the malware would intercept outgoing transactions, changing the recipient address before the user could sign it. This allowed it to direct funds to the attacker instead of their intended destination.
The compromised Ethereum address linked to the attack is trackable on Etherscan, providing real-time visibility of its activities. Furthermore, a GitHub Gist has been created to list all affected wallets.
In a rapid response, npm removed all impacted package versions just four hours after the compromise was confirmed. While some observers labeled this incident as the “biggest supply chain attack in history,” others, including Josh Bressers, VP of security at Anchore, highlighted the community’s swift and effective response. Bressers noted that the incident lasted only a few hours, showcasing the strength of collaboration within the open-source community.
Katie Paxton-Fear, an ethical hacker and staff security advocate at Semgrep, shared insights indicating that while security breaches are concerning, the prompt reaction from the community minimized the risk. She revealed that the estimated financial loss was remarkably low, around $20, thanks to early detection and the rapid takedown of the malicious packages. Paxton-Fear pointed out that discussions about the issue began within a mere 15 minutes of the harmful packages being published.
To mitigate potential impacts from similar vulnerabilities, Jan-David Stärk, a team lead at a software engineering firm, recommended that developers take precautionary measures. They should pin trusted versions of the compromised packages in their project’s package.json file and refresh their dependencies to eliminate any malicious versions.
Recommendations included adding specific overrides to ensure that the project utilizes safe versions of the affected packages and cleaning up the project environment to maintain security. Such actions emphasize the importance of vigilance and proactive strategies in safeguarding the software supply chain against security threats.
