Incident hitting NPM users is likely the biggest supply-chain attack
a day ago
- #supply-chain attack
- #phishing
- #npm security
- Hackers planted malicious code in open source software packages with over 2 billion weekly updates, marking a major supply-chain attack.
- Nearly two dozen npm packages were compromised after a maintainer, Josh Junon (Qix), fell for a phishing email.
- The attackers updated packages with malicious code to redirect cryptocurrency payments to their wallets.
- The compromised packages included foundational JavaScript code, affecting thousands of dependent packages.
- The phishing email came from a fake domain (support.npmjs.help) mimicking npm's official site, tricking Junon into disabling 2FA.