This article reports the largest supply chain attack in history, involving malware injection into popular npm packages with over 2.6 billion weekly downloads. The attack was carried out through compromised maintainer accounts and sophisticated phishing schemes targeting developers. #npmjshelp #supplychainattack
Keypoints
- The attack targeted npm packages with billions of weekly downloads by injecting malicious code.
- Threat actors used phishing emails impersonating npm support to hijack maintainer accounts.
- The injected malware intercepts crypto transactions and manipulates wallet interactions in browsers.
- Malicious code redirects cryptocurrency payments to attacker-controlled addresses without user detection.
- The npm team has removed some malicious package versions, but the attack highlights ongoing supply chain risks.