CySecurity News - Latest Information Security and Hacking Incidents, EN

npm Supply Chain Attack Spreads Worm Malware Stealing Developer Secrets Across Compromised Packages

 

Worry grows within the cybersecurity community following discovery of a fresh supply chain threat aimed at the npm platform, where self-replicating malicious code infiltrates public software libraries to harvest confidential information from coders. Though broad consumer impact seems minimal, investigators at Socket and StepSecurity confirm the assault specifically targets niche development setups – environments often overlooked in typical breach patterns. 

Detection came after unusual network activity flagged automated systems, leading analysts to trace payloads back to tampered dependencies uploaded under legitimate project names. Unlike older variants that rely on user interaction, this version activates silently once installed, transmitting credentials to remote servers without visible signs. Researchers emphasize the sophistication lies not in complexity but timing: attacks unfold during build processes, evading standard runtime checks. 
From initial samples, it appears attackers maintain persistence by chaining exploits across multiple packages. Investigation continues into whether source repositories were breached directly or if hijacked maintainer accounts allowed upload privileges.

Not far behind the initial breach, several packages tied to Namastex Labs began showing suspicious behavior. One after another, altered forms of @automagik/genie, pgserve, and similar tools appeared online without warning. 

What started as isolated reports now points to a wider pattern unfolding quietly. Though some tainted releases have been pulled, fresh variants continue turning up unexpectedly.

Danger comes from how the code spreads itself automatically. Right after a package installs, it acts like a worm – starting fast, grabbing key details from the system it hits. Things such as API tokens show up on the list, along with SSH keys, cloud login info, and hidden codes used in software build tools, containers, or AI setups. 

Off it goes, sending what it finds to servers run by attackers.

Despite lacking conclusive proof, analysts observe patterns matching past operations tied to TeamPCP. Similarities emerge in how malware activates upon installation, grabs login details, and uses distributed infrastructure for spreading code and storing stolen data.

What makes this malware more than just a thief is how it pushes outward without pause. 

Once inside, it hunts for npm login details and identifies which libraries the developer can upload. Harmful scripts are then inserted and republished, turning trusted tools into hidden entry points. If Python credentials appear, the same process spreads into PyPI.

Not just traditional systems are at risk – crypto-linked holdings face exposure too, with data targeted from tools like MetaMask and Phantom. One weak spot in a developer’s setup can ripple outward, showing how quickly risks spread across software ecosystems.

This article has been indexed from CySecurity News – Latest Information Security and Hacking Incidents

Read the original article: