Hackers left empty-handed after massive NPM supply-chain attack
The largest supply-chain compromise in the history of the NPM ecosystem has impacted roughly 10% of all cloud environments, but the attacker made little profit off it.
The attack occurred earlier this week after maintainer Josh Junon (qix) fell for a password reset phishing lure and compromised multiple highly popular NPM packages, among them chalk and degub-js, that cumulatively have more than 2.6 billion weekly downloads.
After gaining access to Junon’s account, the attackers pushed malicious updates with a malicious module that stole cryptocurrency by redirecting transactions to the threat actor.
The open-source software community quickly discovered the attack, and all the malicious packages were removed within two hours.
According to researchers at cloud security company Wiz, one or more of the compromised packages, which are fundamental building blocks for nearly any JavaScript/Node project, were used in 99% of cloud environments.
During the two-hour window they were available for download, the compromised packages were pulled by roughly 10% of cloud environments.
“During the short 2-hour timeframe in which the malicious versions were available on npm, the malicious code successfully reached 1 in 10 cloud environments,” explained Wiz.
“This serves to demonstrate how fast malicious code can propagate in supply chain attacks like this one.”
The 10% figure is based on Wiz’s visibility into customer cloud environments, as well as public sources. While it may not be a representative percentage, it is still indicative of the fast spread and reach of the attack.
Attackers made less than $1,000
Although the attack caused notable disruption, requiring companies a significant number of hours for cleanups, rebuilding, and auditing, the security implications are negligible, just like the threat actor's profit.
According to an analysis by Security Alliance, the injected code targeted browser environments, hooking Ethereum and Solana signing requests, swapping cryptocurrency wallet addresses with attacker-controlled ones (crypto-jacking).
The type of payload is what saved companies that pulled the compromised devices from a much more serious security incident, as the threat actor could have used their access to plant reverse shells, move laterally on the network, or plant destructive malware.
Despite the massive scale of the attack and the numerous victims, the attackers were only able to divert five cents worth of ETH and $20 worth of a virtually unknown memecoin.
Socket researchers published a report yesterday, alerting that the same phishing campaign also impacted DuckDB’s maintainer account, compromising the project’s packages with the same crypto-stealing code.
According to them, the profits traced to the attackers’ wallets are roughly $429 in Ethereum, $46 in Solana, and small amounts in BTC, Tron, BCH, and LTC totaling $600.
It is also noted that the attacker’s wallet addresses that hold any significant amounts have been flagged, limiting their ability to convert or use the little money they made.
