Hackers Hijack npm Packages With 2 Billion Weekly Downloads in Supply Chain Attack (bleepingcomputer.com)
- Reference: 0179090382
- News link: https://it.slashdot.org/story/25/09/08/1843235/hackers-hijack-npm-packages-with-2-billion-weekly-downloads-in-supply-chain-attack
- Source link: https://www.bleepingcomputer.com/news/security/hackers-hijack-npm-packages-with-2-billion-weekly-downloads-in-supply-chain-attack/
> In what is being called the largest supply chain attack in history, attackers have [1]injected malware into NPM packages with over 2.6 billion weekly downloads after compromising a maintainer's account in a phishing attack.
>
> The package maintainer whose accounts were hijacked in this supply-chain attack confirmed the incident earlier today, stating that he was aware of the compromise and adding that the phishing email came from support [at] npmjs [dot] help, a domain that hosts a website impersonating the legitimate npmjs.com domain.
>
> In the emails, the attackers threatened that the targeted maintainers' accounts would be locked on September 10th, 2025, as a scare tactic to get them to click on the link redirecting them to the phishing sites.
[1] https://www.bleepingcomputer.com/news/security/hackers-hijack-npm-packages-with-2-billion-weekly-downloads-in-supply-chain-attack/
You ARE the weakest link (Score:4, Informative)
Sheesh. Anti-Phishing training is so hard to do effectively. The inherent asymmetry of the conflict is crushing. Attackers only have to succeed once. Defenders must succeed every time.
Re: (Score:3)
It has always been an asymmetric fight. And that is not going to change. With LLMs now writing apparently quite reasonable malware (for malware it does not matter if it is insecure or you have to write 20 different versions before one works), the conflict is going to get even more asymmetrical and the pressure on crapware makers will increase.
This attack is one reason, professional admin work uses dedicated machines and sign-offs by a 2nd admin for everything. Amateur-level procedures have really run their
Re: (Score:2)
So long as companies continue to send out suspicious looking emails they will be conditioning users to fall for the phishing.
I've lost track of the number of legit companies that sent me mails which looked like phishing - instructions to click links, enter passwords etc. They act all indignant when you report the suspicious emails as phishing.
And another problem is not using the infrastructure that already exists - S/MIME has been around for years, supported OOTB by outlook, android mail app, apple mail app
Re: (Score:2)
And don't even get me started on the "secure messaging" applications a lot of companies use... Instead of emailing you the content/file directly, it sends you a link to sign up to some "secure email" site, from which you can download the actual content.
1) the notification looks like a phishing attempt because it invites you to click a link and login/register somewhere
2) the purpose of the system is to not send the content over unencrypted email, however since you register to the system (and reset your passw
Re: (Score:2)
I manage my own domain and create aliases for each online account I create. Two years ago, an airline I used to fly with got hacked and my e-mail with the template $AIRLINE.customer.$RANDOM@mydomain.com started getting spam. I deleted this alias and created a new account, but I also created a catchall on the domain then forgot about it.
Last week I opened the catchall inbox. I found a series of very well designed phishing emails. It's something like "tribunal of $MY_DISTRICT has pending process 123ZYX654, wi
Re: (Score:2)
If you keep a local copy somebody might think you are responsible of not having it contain malware. So according to the laws of organized irresponsibility, you better not cache anything, so you can point to that random guy on the Internet and shout "It was not me, it was his fault our software got infected!".
The penalties for phishing need to be bigger... (Score:2)
Drop a nuke on their house...
Re: (Score:3)
Stupid comment is stupid. If you know who does it, you can either simply have then arrested or any attack would start WW3.
Single-person dependencies are not good (Score:5, Insightful)
At the very least anything that goes into production should have a 2nd person review and sign-off on it. That tends to curb this kind of thing. On the other hand, maybe NPM is just a toy collection without quality, security and reliability? Given that it is JavaScript, that seems likely.
Re: (Score:3)
Look how many "security tools" invite you to download an arbitrary script with curl, and then pipe it to a shell running as root, for example:
[1]https://github.com/pry0cc/axio... [github.com]
And then what does that script do? Follow best practices for installing software on the target platforms?
Nooo..
It does ridiculous things like blindly overwrite files in /usr/bin with things it's pulled from another site:
sudo wget -q -O /usr/bin/jq [2]https://github.com/stedolan/jq.. [github.com]
[1] https://github.com/pry0cc/axiom
[2] https://github.com/stedolan/jq/releases/download/jq-1.6/jq-linux64
Too much of the internet is auto updated (Score:2)
At least when a cd rom was infected they could be recalled and replaced. I just know that Windows update will get hacked one day and have 1 billion computers ransomwared. It will probably be an AI hallucination from a dev team overworked from layoffs.
Re: (Score:2)
That basically happened. It was called Windows 11.
The package maintainer? (Score:2)
"phishing email" really! I have never taken the npm plunge because of the history.
Re: (Score:3)
Seems the whole JavaScript ecosystem is mediocre and worse (with apologies to the people that are the rare exceptions that can be found anywhere).