The largest supply-chain attack in the NPM ecosystem compromised popular packages, affecting nearly 10% of cloud environments, but the attacker’s profits were minimal. The rapid removal of malicious packages prevented widespread damage, highlighting vulnerability points in open-source software supply chains. #NPM #SupplyChainAttack
Keypoints
- The attack was carried out through a phishing compromise of maintainer Josh Junon’s account.
- Malicious updates were available for two hours, affecting up to 10% of cloud environments.
- The malicious code primarily targeted crypto wallets to steal cryptocurrencies like ETH and Solana.
- Despite its scale, the attack resulted in less than $1,000 in profits for the hackers.
- Additional compromised packages were found in the DuckDB project, with total traced profits around $600.