At least 18 widely-used JavaScript code packages, collectively downloaded over two billion times per week, were briefly compromised after a developer was phished. The phishing email tricked the maintainer into submitting a one-time two-factor authentication token on a fake NPM login page, giving attackers access to his account. The malicious code was narrowly focused on intercepting cryptocurrency transactions, redirecting funds to attacker-controlled wallets without visible signs to users. Security experts warn that a similar attack with a more harmful payload could easily trigger a large-scale malware outbreak.

The compromised packages were quickly detected by Belgian security firm Aikido, which monitors updates to major open-source code repositories. According to Aikido, the injected code operated as a browser-based interceptor, manipulating wallet interactions and API calls while leaving interfaces apparently normal. The affected developer, Josh Junon, was alerted via social media and immediately began cleaning up the compromised packages, later publicly acknowledging the incident on HackerNews. Analysts noted that the spoofed NPM site had been registered just two days prior, highlighting the speed and precision of supply-chain attacks.

Security experts emphasize that the incident underscores the fragility of open-source software supply chains. While this attack focused on cryptocurrency, prior incidents—like the August compromise of the “nx” package—demonstrate that attackers can target credentials, API keys, and sensitive data on a massive scale. Observers urge platforms such as NPM and GitHub to implement stricter verification of code submissions, particularly for high-profile packages, to prevent compromised accounts from endangering millions of users worldwide.

Read the full article here: Krebs on Security