A new npm supply chain attack is harvesting developer authentication credentials and automatically spreading through packages published from compromised accounts. The attack demonstrates a concerning escalation in threats targeting the Node.js ecosystem.
Security researchers have identified a supply chain attack targeting npm that combines credential theft with self-propagation capabilities. The attack compromises developer accounts and uses those credentials to publish malicious packages, which then infect downstream users and attempt to compromise their accounts as well.
The attack works by injecting code into npm packages that steals authentication tokens when installed. These tokens grant access to npm registries and can be used to publish additional malicious packages or modify existing ones. This creates a chain reaction where each compromised developer potentially exposes their entire network of dependencies.
Unlike previous npm attacks that relied on typosquatting or abandoned packages, this threat leverages legitimate-looking package updates and hijacked developer accounts. This makes detection significantly harder, as the malicious code appears to come from trusted sources.
The attack targets developers across multiple projects simultaneously. Once a token is stolen, attackers can access all packages associated with that developer's account, expanding the blast radius substantially. Organizations using affected packages may unknowingly distribute compromised code to their own users.
The npm security team has been notified and is working to identify and remove malicious packages from the registry. Security researchers recommend developers immediately rotate authentication tokens and review recent package publishing activity on their accounts.
This incident highlights persistent vulnerabilities in open-source supply chains. While npm and similar registries have implemented security measures, determined attackers continue to find ways around them. The self-spreading nature of this attack is particularly concerning, as it can compromise systems faster than security teams can respond.
Developers should audit their dependencies, enable two-factor authentication on npm accounts, and consider using tools that monitor package integrity and flag suspicious updates.
Partnered Health, one of Australia's largest healthcare providers, has disclosed a cyber-attack affecting 21 clinics across Sydney, Melbourne, and Canberra. Personal information and medical records were compromised in the breach.
Security firm Intruder has developed an AI-powered system that automatically identifies previously unknown software vulnerabilities by combining code analysis with large language models. The tool already discovered and exploited a WordPress plugin zero-day.
U.S. federal prosecutors have unsealed charges against three Russian nationals accused of operating a bulletproof hosting service that supported ransomware gangs responsible for over $62 million in damages worldwide.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) warned that attackers are actively exploiting three vulnerabilities in Internet-exposed on-premises SharePoint Server instances. Organizations running affected versions must patch immediately.