{"id":30209,"date":"2025-12-16T12:47:33","date_gmt":"2025-12-16T07:17:33","guid":{"rendered":"https:\/\/opstree.com\/blog\/?p=30209"},"modified":"2025-12-16T12:48:46","modified_gmt":"2025-12-16T07:18:46","slug":"npm-supply-chain-attack-2025","status":"publish","type":"post","link":"https:\/\/opstree.com\/blog\/2025\/12\/16\/npm-supply-chain-attack-2025\/","title":{"rendered":"Understanding NPM Supply Chain Attack 2025"},"content":{"rendered":"<p><span data-contrast=\"auto\">Earlier in 2025, the Node Package Manager(NPM) EcoSystem suffered from a severe supply chain attack.<\/span><\/p>\n<p><!-- Table of Contents Block Start --><\/p>\n<div class=\"wp-block-toc\" style=\"border: 1px solid #ddd; padding: 15px; border-radius: 8px; background-color: #f9f9f9;\">\n<h2 style=\"font-size: 20px; margin-bottom: 10px;\">Table of Contents<\/h2>\n<ul style=\"list-style-type: none; padding-left: 0; line-height: 1.8;\">\n<li><a style=\"text-decoration: none; color: #0073aa;\" href=\"#problems-occurred\">1. What are the problems occurred?<\/a><\/li>\n<li><a style=\"text-decoration: none; color: #0073aa;\" href=\"#why-this-matters\">2. Why this matters for DevOps\/Developers?<\/a><\/li>\n<li><a style=\"text-decoration: none; color: #0073aa;\" href=\"#how-attack-works\">3. How this Supply Chain Attack works?<\/a><\/li>\n<li><a style=\"text-decoration: none; color: #0073aa;\" href=\"#prevention\">4. What can we do for prevention?<\/a><\/li>\n<li><a style=\"text-decoration: none; color: #0073aa;\" href=\"#conclusion\">5. Conclusion<\/a><\/li>\n<\/ul>\n<\/div>\n<p><!--more--><\/p>\n<h2 id=\"problems-occurred\"><b><span data-contrast=\"auto\">What are the problems occurred?<\/span><\/b><\/h2>\n<p><span data-contrast=\"auto\">The accounts of Maintainers were compromised via the method of phishing, by which the attackers published malwares in node packages or say\u00a0npm\u00a0packages.The\u00a0majorly targeted packages were chalk,\u00a0debug,\u00a0react-router-dom,\u00a0nodemon,\u00a0zustand\u00a0and many more which have millions-billions of downloads(weekly).This malware code\u00a0got attached to browsers, various network APIs which intercepted silently to get the credentials,\u00a0secrets and other\u00a0sensitive\u00a0data.<\/span><span data-ccp-props=\"{&quot;335559685&quot;:0}\">\u00a0<\/span><\/p>\n<div style=\"border: 1px solid #d1d5db; padding: 16px; margin: 20px 0; background-color: #f0f4f8;\">\n<p style=\"margin: 0; font-weight: 600; font-size: 16px;\">Also Read &#8211; <a href=\"https:\/\/opstree.com\/blog\/2025\/09\/30\/modern-tools-for-infrastructure-security\/\" target=\"_blank\" rel=\"noopener\">Modern Tools to Close Security Gaps and Protect Your Infrastructure<\/a><\/p>\n<\/div>\n<h2 id=\"why-this-matters\"><b><span data-contrast=\"auto\">Why this matters for\u00a0devops\/developers?<\/span><\/b><span data-ccp-props=\"{&quot;335559685&quot;:0}\">\u00a0<\/span><\/h2>\n<p><span data-contrast=\"auto\">This attack matters for\u00a0devops\u00a0and developers as not only a project is compromised,\u00a0a huge number of\u00a0projects\u00a0gets\u00a0compromised\u00a0having node package dependencies.<\/span><\/p>\n<h2 id=\"how-attack-works\"><b><span data-contrast=\"auto\">How this Supply Chain Attack works?<\/span><\/b><span data-ccp-props=\"{}\">\u00a0<\/span><\/h2>\n<p><span data-contrast=\"auto\">Attackers uses phishing emails which are designed to be found as security alerts in npm. Then the Credentials, auth tokens are leaked via fake websites. By which the attackers can access maintainers accounts. They adds and publishes some hidden scripts which directly executes during <strong>&#8220;`npm install&#8220;`<\/strong>.\u00a0 Attackers then use a variety of techniques to hook network APIs:-<\/span><span data-ccp-props=\"{&quot;335559685&quot;:0}\">\u00a0<\/span><\/p>\n<ul>\n<li><span data-contrast=\"auto\">API Key theft<\/span><span data-ccp-props=\"{}\">\u00a0<\/span><\/li>\n<li><span data-contrast=\"auto\">Hooking of\u00a0APis<\/span><span data-ccp-props=\"{}\">\u00a0<\/span><\/li>\n<li><span data-contrast=\"auto\">Access Token manipulations<\/span><span data-ccp-props=\"{}\">\u00a0<\/span><\/li>\n<li><span data-contrast=\"auto\">Man in Middle Attacks<\/span><span data-ccp-props=\"{}\">\u00a0<\/span><\/li>\n<\/ul>\n<p><span data-contrast=\"auto\">And many more.. This helped the Attackers to use these credentials and infect the whole environment.<\/span><span data-ccp-props=\"{&quot;335559685&quot;:720,&quot;335559731&quot;:0}\">\u00a0<\/span><\/p>\n<div style=\"border: 1px solid #d1d5db; padding: 16px; margin: 20px 0; background-color: #f0f4f8;\">\n<p style=\"margin: 0; font-weight: 600; font-size: 16px;\">Good Read &#8211; <a href=\"https:\/\/opstree.com\/blog\/2025\/02\/25\/cyber-security_roadmap-part-1\/\" target=\"_blank\" rel=\"noopener\">Cybersecurity Roadmap: A Step-by-Step Guide<\/a><\/p>\n<\/div>\n<h2 id=\"prevention\"><b><span data-contrast=\"auto\">What can we do for prevention?<\/span><\/b><span data-ccp-props=\"{}\">\u00a0<\/span><\/h2>\n<ul>\n<li><span data-contrast=\"auto\">All the maintainers account should have <strong>MFA\/2FA<\/strong>.<\/span><span data-ccp-props=\"{}\">\u00a0<\/span><\/li>\n<li><span data-contrast=\"auto\">Use least privilege\u00a0tokens and less\u00a0scoped (use short-lived tokens).<\/span><span data-ccp-props=\"{}\">\u00a0<\/span><\/li>\n<li><span data-contrast=\"auto\">Verify the Package Signatures while installing<\/span><span data-ccp-props=\"{}\">\u00a0<\/span><\/li>\n<li><span data-contrast=\"none\">Keep dependencies updated.<\/span><span data-ccp-props=\"{}\">\u00a0<\/span><\/li>\n<li><span data-contrast=\"auto\">In CI of the applications use <strong>&#8220;`npm\u00a0audit&#8220;`<\/strong> and use other composition analysis tools\u00a0like SNYK, OSS Index etc. before build<\/span><span data-ccp-props=\"{}\">\u00a0<\/span><\/li>\n<li><span data-contrast=\"auto\">Use lock-files :\u00a0<strong>package-lock.json\u00a0 or\u00a0yarn.lock<\/strong><\/span><span data-ccp-props=\"{}\">\u00a0<\/span><\/li>\n<li><strong>Use &#8220;`npm\u00a0ci&#8220;`\u00a0or\u00a0 &#8220;`yarn \u2013frozen-lockfile&#8220;`\u00a0<\/strong><\/li>\n<li><span data-contrast=\"auto\">Disable lifecycle scripts using<strong> &#8220;`npm\u00a0install \u2013ignore-scripts&#8220;`<\/strong><\/span><strong>\u00a0<\/strong><\/li>\n<li><span data-contrast=\"auto\">While publishing a package adopt\u00a0<\/span><b><span data-contrast=\"auto\">npm\u00a0provenance<\/span><\/b><span data-contrast=\"auto\">\u00a0which refers to a trusted publishing of a package<\/span><span data-ccp-props=\"{}\">\u00a0<\/span><\/li>\n<\/ul>\n<h2 id=\"conclusion\"><b><span data-contrast=\"none\">Conclusion<\/span><\/b><span data-ccp-props=\"{&quot;335559685&quot;:0}\">\u00a0<\/span><\/h2>\n<p><span data-contrast=\"none\">In this blog,\u00a0We\u00a0have talked about\u00a0<\/span><a href=\"https:\/\/auth0.com\/blog\/secure-nodejs-applications-from-supply-chain-attacks\/?utm_source=google&amp;utm_campaign=apac_india_mult_all_ciam-dev_dg-plg_auth0_search_google_pmax_retarget_utm2&amp;utm_medium=cpc&amp;utm_id=aNK4z000000UFODGA4&amp;gad_source=1&amp;gad_campaignid=21470399250&amp;gbraid=0AAAAACmv60V_PzP5IKwKSJfBmPdWI6Qd1&amp;gclid=CjwKCAiAl-_JBhBjEiwAn3rN7eqJBcjCYrfa_PqHx7GHu7qJUEOIJh1WhsRvuRO7tOzjSs7FumgrcBoCLAoQAvD_BwE\" target=\"_blank\" rel=\"noopener\"><span data-contrast=\"none\">Supply Chain Attack<\/span><\/a><span data-contrast=\"none\">\u00a0on Node Package Manager. What issues can occur due to Supply Chain Attack, how it works, how can we prevent from these attacks.<\/span><span data-ccp-props=\"{&quot;335559685&quot;:0}\">\u00a0<\/span><\/p>\n<p><strong>Related Searches &#8211; <a href=\"https:\/\/opstree.com\/services\/cloud-migration-and-modernization-services\/\" target=\"_blank\" rel=\"noopener\">Cloud Security Posture Management<\/a> | <a href=\"https:\/\/opstree.com\/services\/devops-and-devsecops-services\/\" target=\"_blank\" rel=\"noopener\">DevOps and DevSecOps Services<\/a><\/strong><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Earlier in 2025, the Node Package Manager(NPM) EcoSystem suffered from a severe supply chain attack. Table of Contents 1. What are the problems occurred? 2. Why this matters for DevOps\/Developers? 3. How this Supply Chain Attack works? 4. What can we do for prevention? 5. Conclusion<\/p>\n","protected":false},"author":244582715,"featured_media":30211,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_coblocks_attr":"","_coblocks_dimensions":"","_coblocks_responsive_height":"","_coblocks_accordion_ie_support":"","jetpack_post_was_ever_published":false,"_jetpack_newsletter_access":"","_jetpack_dont_email_post_to_subs":false,"_jetpack_newsletter_tier_id":0,"_jetpack_memberships_contains_paywalled_content":false,"_jetpack_memberships_contains_paid_content":false,"footnotes":"","jetpack_publicize_message":"","jetpack_publicize_feature_enabled":true,"jetpack_social_post_already_shared":true,"jetpack_social_options":{"image_generator_settings":{"template":"highway","enabled":false},"version":2}},"categories":[28070474],"tags":[965824,343865,768739407],"jetpack_publicize_connections":[],"jetpack_featured_media_url":"https:\/\/opstree.com\/blog\/wp-content\/uploads\/2025\/12\/Blog-Image-Template-7.jpg","jetpack_likes_enabled":true,"jetpack_sharing_enabled":true,"jetpack_shortlink":"https:\/\/wp.me\/pfDBOm-7Rf","jetpack-related-posts":[],"_links":{"self":[{"href":"https:\/\/opstree.com\/blog\/wp-json\/wp\/v2\/posts\/30209"}],"collection":[{"href":"https:\/\/opstree.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/opstree.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/opstree.com\/blog\/wp-json\/wp\/v2\/users\/244582715"}],"replies":[{"embeddable":true,"href":"https:\/\/opstree.com\/blog\/wp-json\/wp\/v2\/comments?post=30209"}],"version-history":[{"count":3,"href":"https:\/\/opstree.com\/blog\/wp-json\/wp\/v2\/posts\/30209\/revisions"}],"predecessor-version":[{"id":30213,"href":"https:\/\/opstree.com\/blog\/wp-json\/wp\/v2\/posts\/30209\/revisions\/30213"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/opstree.com\/blog\/wp-json\/wp\/v2\/media\/30211"}],"wp:attachment":[{"href":"https:\/\/opstree.com\/blog\/wp-json\/wp\/v2\/media?parent=30209"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/opstree.com\/blog\/wp-json\/wp\/v2\/categories?post=30209"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/opstree.com\/blog\/wp-json\/wp\/v2\/tags?post=30209"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}