Earlier in 2025, the Node Package Manager(NPM) EcoSystem suffered from a severe supply chain attack.
Table of Contents
What are the problems occurred?
The accounts of Maintainers were compromised via the method of phishing, by which the attackers published malwares in node packages or say npm packages.The majorly targeted packages were chalk, debug, react-router-dom, nodemon, zustand and many more which have millions-billions of downloads(weekly).This malware code got attached to browsers, various network APIs which intercepted silently to get the credentials, secrets and other sensitive data.
Why this matters for devops/developers?
This attack matters for devops and developers as not only a project is compromised, a huge number of projects gets compromised having node package dependencies.
How this Supply Chain Attack works?
Attackers uses phishing emails which are designed to be found as security alerts in npm. Then the Credentials, auth tokens are leaked via fake websites. By which the attackers can access maintainers accounts. They adds and publishes some hidden scripts which directly executes during “`npm install“`. Attackers then use a variety of techniques to hook network APIs:-
- API Key theft
- Hooking of APis
- Access Token manipulations
- Man in Middle Attacks
And many more.. This helped the Attackers to use these credentials and infect the whole environment.
Good Read – Cybersecurity Roadmap: A Step-by-Step Guide
What can we do for prevention?
- All the maintainers account should have MFA/2FA.
- Use least privilege tokens and less scoped (use short-lived tokens).
- Verify the Package Signatures while installing
- Keep dependencies updated.
- In CI of the applications use “`npm audit“` and use other composition analysis tools like SNYK, OSS Index etc. before build
- Use lock-files : package-lock.json or yarn.lock
- Use “`npm ci“` or “`yarn –frozen-lockfile“`
- Disable lifecycle scripts using “`npm install –ignore-scripts“`
- While publishing a package adopt npm provenance which refers to a trusted publishing of a package
Conclusion
In this blog, We have talked about Supply Chain Attack on Node Package Manager. What issues can occur due to Supply Chain Attack, how it works, how can we prevent from these attacks.
Related Searches – Cloud Security Posture Management | DevOps and DevSecOps Services