Supply‑Chain Attack Compromises 600 npm Packages, Steals CI/CD Secrets
What Happened — Threat actors published 639 malicious versions across 323 npm packages in a one‑hour burst, hijacking maintainer accounts and publishing tokens to inject a credential‑stealing payload. The malware targets developer workstations and CI/CD pipelines, exfiltrating GitHub, npm, cloud, Kubernetes, Vault, Docker, database, and SSH secrets.
Why It Matters for TPRM —
- Third‑party code libraries can become a conduit for credential theft across your software supply chain.
- Compromised packages affect a broad range of downstream projects, increasing the attack surface of any organization that consumes them.
- Rapid, automated publishing makes detection difficult, highlighting the need for continuous monitoring of open‑source dependencies.
Who Is Affected — Technology SaaS vendors, development teams, CI/CD service providers, and any organization that incorporates npm packages (especially those using the @antv ecosystem).
Recommended Actions —
- Audit all npm dependencies for recent version changes and verify package integrity via hash or SBOM.
- Enforce two‑factor authentication and token rotation for all publishing accounts and CI/CD service tokens.
- Deploy runtime protection (e.g., SCA tools, behavior‑based monitoring) to detect anomalous credential‑access patterns.
Technical Notes — The attack leverages compromised maintainer credentials to push a heavily obfuscated index.js that encrypts stolen data (AES‑256‑GCM, RSA‑OAEP) and exfiltrates via the Session P2P network and GitHub API. Packages lacking OIDC trusted publishing were prime targets. Source: BleepingComputer