Recently, a major cyber attack was carried out on the NPM repository, resulting in the interception of accounting data for 18 popular NPM packages, each loaded more than 2 billion times per week. The attackers were able to release new versions of these compromised packages containing malicious code. This attack not only affected the directly targeted projects but also impacted hundreds of thousands of dependent packages.
Harmful updates were pushed out for packages like debug, chalk, Ansi-styles, color-convert, Wrap-Onsi, Supports-Color, and ANSI-ReigEx, all of which had over 200 million downloads in the past week. Notably, chalk and debug, with 129,286 and 55,289 dependencies respectively, were also compromised.
In response to the attack, Maynitans from the NPM project sent out an email urging users to update their two-factor authentication settings. Users who had not updated this information in over 12 months were warned that their account data with outdated 2FA settings would be blocked on September 10 to prevent unauthorized access.
The phishing emails were sent from the address “[email protected]” and directed users to a site mimicking npmjs.com. This tactic has been used in previous attacks on platforms like PYPI, NPM, and Addons.mozilla.org to deceive users into providing sensitive information. By operating npmjs.help as a proxy for npmjs.com, the attackers gained control over user traffic, including login credentials and two-factor authentication requests.
Users who interacted with sites or applications using the compromised packages were exposed to malicious code. This code intercepted traffic and web API activity, manipulating functions like FETCH and XMLHTTPREQUEST. Additionally, the attackers targeted cryptocurrency interfaces to switch recipient details during transactions discreetly. Popular cryptocurrencies like Ethereum, Bitcoin, Solana, Tron, Litecoin, and Bitcoin Cash were affected.
More information regarding this attack can be found in announcements.