A sophisticated supply chain attack targeting the Node Package Manager (npm) ecosystem is leveraging compromised developer tokens to distribute malicious updates. This campaign aims to establish persistence within the build pipelines of large-scale enterprise projects.
The attack begins with the distribution of “malicious-but-functional” packages that exfiltrate npm publishing tokens and GitHub access keys from the developer’s environment. Once a token is stolen, the threat actors use it to publish poisoned updates to legitimate, high-traffic libraries. These updates contain obfuscated code designed to harvest environment variables and production database credentials during the npm install or build workflow.
The reuse of compromised developer identities makes these attacks exceptionally difficult to detect, as the malicious updates originate from verified maintainer accounts. This highlights the danger of long-lived automation tokens in modern DevOps environments where trust is often implicit rather than verified.
– Enforce the use of phishing-resistant MFA for all npm and GitHub accounts across the development team.
– Regularly audit and rotate all CI/CD service account tokens and personal access keys.
– Transition to a locked-down registry model that enforces SHA-256 hash pinning for every dependency in the project lockfile.
– Monitor build runner logs for anomalous outbound connections to unknown IP addresses during dependency installation.
Supply chain security is an identity problem; protecting the developer’s publishing pipeline is as critical as protecting the code itself. #CodeDefence #SupplyChain #NPM #DevSecOps
/
