Automated GitHub alarms triggered a quick response: Detection was swift once the updates bypassed GitHub’s usual commit-based alerts and raised red flags in registry logs. The maintainer revoked the compromised token, deprecated the malicious releases, and collaborated with npm to remove them.Socket noted that the attack is a textbook example of “multi-stage supply chain compromise,” which involves harvesting maintainer credentials, publishing malicious versions on npm, and potentially infecting thousands of projects.”More reports of compromised credentials are likely to roll in as attackers target other maintainers, leveraging scraped npm metadata and what has so far proved to be a very convincing automated phishing campaign,” it added.Developers are recommended to audit lockfiles, clear caches, reinstall clean versions, pin specific package versions, and enable two-factor authentication on npm accounts.npm, the default package manager for the JavaScript runtime Node.js, has seen increased abuse in recent times, owing to its reach and popularity. Last month, Socket observed two malicious npm packages capable of wiping out production systems with a single request. Previously, a score of npm packages were caught snooping on dev machines in addition to a clever campaign that dropped typo-squatted packages with stealers and RCE codes.
First seen on csoonline.com
Jump to article: www.csoonline.com/article/4026380/prettier-eslint-npm-packages-hijacked-in-a-sophisticated-supply-chain-attack.html
