NPM SUPPLY CHAIN ATTACK STEALS TOKENS, SELF-SPREADS
AI DESK■ 2 MIN READ
WED, APR 22, 2026■ AI-SUMMARIZED FROM 1 SOURCE BELOW
A new npm supply chain attack is harvesting developer authentication credentials and automatically spreading through packages published from compromised accounts. The attack demonstrates a concerning escalation in threats targeting the Node.js ecosystem.
Security researchers have identified a supply chain attack targeting npm that combines credential theft with self-propagation capabilities. The attack compromises developer accounts and uses those credentials to publish malicious packages, which then infect downstream users and attempt to compromise their accounts as well.
The attack works by injecting code into npm packages that steals authentication tokens when installed. These tokens grant access to npm registries and can be used to publish additional malicious packages or modify existing ones. This creates a chain reaction where each compromised developer potentially exposes their entire network of dependencies.
Unlike previous npm attacks that relied on typosquatting or abandoned packages, this threat leverages legitimate-looking package updates and hijacked developer accounts. This makes detection significantly harder, as the malicious code appears to come from trusted sources.
The attack targets developers across multiple projects simultaneously. Once a token is stolen, attackers can access all packages associated with that developer's account, expanding the blast radius substantially. Organizations using affected packages may unknowingly distribute compromised code to their own users.
The npm security team has been notified and is working to identify and remove malicious packages from the registry. Security researchers recommend developers immediately rotate authentication tokens and review recent package publishing activity on their accounts.
This incident highlights persistent vulnerabilities in open-source supply chains. While npm and similar registries have implemented security measures, determined attackers continue to find ways around them. The self-spreading nature of this attack is particularly concerning, as it can compromise systems faster than security teams can respond.
Developers should audit their dependencies, enable two-factor authentication on npm accounts, and consider using tools that monitor package integrity and flag suspicious updates.
■ MORE FROM THE SECURITY DESK
The UK's GCHQ estimates approximately 100 nations have acquired sophisticated cyber intrusion tools like Pegasus, signaling that access to advanced hacking technology is becoming increasingly widespread.
JUST NOW— Security Desk
Cosmetics retailer Rituals has confirmed a data breach affecting its customer membership database. The company, which maintains records for 41 million customers, has not disclosed the exact number of individuals impacted.
JUST NOW— Security Desk
Ofcom has launched a formal investigation into Telegram after receiving evidence that the messaging platform is failing to prevent the sharing of child sexual abuse material (CSAM). The probe follows the Online Safety Act requirements for UK communications regulators.
JUST NOW— Industry Desk
The UK's cybersecurity chief has warned that businesses and critical infrastructure are underestimating threats from spyware, as more governments gain access to powerful surveillance technology than ever before.
2H AGO— Security Desk