Malicious javascript compromise on npmjs

Example copy of one of the inserted JS: https://pastebin.com/bwLZrq02

Just reported to NPM, they work on it.

Derek's caught it too https://infosec.exchange/@derekheld/115169311485030806

It's a cryptocurrency wallet drainer, RIP a load of devops dudes crypto.

NPM on it, some packages nuked, more being nuked

If you want an idea of scale of trojan attempt - 'color' alone had 32m downloads in a week, the combined attempt was pushing a billion due to upstream dependencies.

Hunt tip: look for registry.npmjs.org in proxy logs, package names are in the URLs.

additional backdoored packages

ansi-styles
debug
chalk
supports-color
strip-ansi
ansi-regex
has-ansi

Weekly download stats for impacted packages prior to incident

ansi-styles (371.41m)
debug (357.6m)
backslash (0.26m)
chalk-template (3.9m)
supports-hyperlinks (19.2m)
has-ansi (12.1m)
simple-swizzle (26.26m)
color-string (27.48m)
error-ex (47.17m)
color-name (191.71m)
is-arrayish (73.8m)
slice-ansi (59.8m)
color-convert (193.5m)
wrap-ansi (197.99m)
ansi-regex (243.64m)
supports-color (287.1m)
strip-ansi (261.17m)
chalk (299.99m)

Total 2674m

@GossiTheDog Whoever could have predicted that downloading 10GB of third party code from 1,000 different people to do simple tasks would end up this way

Phishing email sent to maintainers, they basically targeted people with 2FA by getting them to.. reset their 2FA.

@GossiTheDog That's a new one. (Too bad no alt text so no boost.)

Maybe less people would fall for that sort of scam if regular forced password resets weren't so common?

Developer confirms they fell for phishing email

It looks like others have too, found one other compromised repo from a different user, will have a dig tomorrow as bored of cyber tonight.

https://bsky.app/profile/bad-at-computer.bsky.social/post/3lydioq5swk2y

For anybody confused about how this happens, basically:

- For about the past 15 years every business has been developing apps by pulling in 178 interconnected libraries written by 24 people in a shed in Skegness

- For about the past 2 years orgs have been buying AI vibe coding tools, where some exec screams "make online shop" into a computer and 389 libraries are added and an app is farted out

The output = if you want to own the world's companies, just phish one guy in Skegness