"Crypto Heist of the Century: Billions of JavaScript Downloads Tainted in Massive Supply Chain Hack"

Overview: In what is described as the largest supply chain hack in history, 18 widely-used JavaScript packages, collectively downloaded over 2 billion times weekly via NPM (GitHub’s package manager for Node.js), were compromised with malicious code designed to steal cryptocurrencies, including Ethereum, Bitcoin, Solana, Tron, Litecoin, and Bitcoin Cash.

Attack Details:

• Method: The attack was executed through a simple phishing email sent to the package maintainer, who uses the handle "bad-at-computer" on Bluesky.
• The email, appearing legitimate from "support@npmjs.help," tricked the maintainer into resetting their two-factor authentication, granting the attacker access to modify the packages.
• Impact: The malicious code intercepted crypto and web3 activity in users’ browsers, redirecting funds and approvals to attacker-controlled accounts without user detection. The extent of the spread is unclear, as frequent dependency fetching in software builds inflates download counts.

Implications:

• Vulnerability Exposed: The ease of this attack highlights significant weaknesses in modern software development, particularly in securing open-source package ecosystems. Despite efforts such as software bills of materials (SBOMs) and mandatory two-factor authentication, current measures are still insufficient.
• Potential Risk: While this attack focused on cryptocurrency theft, the compromised packages could have been used for far more destructive purposes, underscoring the fragility of software supply chains.

Recommendations:

• Organisations using these packages should verify they are not running malicious versions.
• The industry must adopt more robust processes for developing, maintaining, and securing software to prevent future attacks.
• Enhanced security measures, beyond current standards, are critical to protect against similar low-effort, high-impact attacks.

Conclusion: This incident serves as a wake-up call for the software industry. While the attacker’s focus was on financial gain, future attacks could exploit similar vulnerabilities for greater harm. Urgent action is needed to strengthen supply chain security before a more devastating breach occurs.

READ THE STORY

A total of 18 JavaScript packages that have over 2 billion weekly downloads have been injected with malicious code in what is billed as the largest supply chain hack in history.

The compromised code was designed to steal cryptocurrency.

Picture this:

• Thanos, a Death-obsessed maniac retconned within the Marvel Cinematic Universe to be the most radical environmental activist in history, has assembled the Infinity Gauntlet.
• With it, he could wipe out half the universe's population.
• He raises his hand, snaps his fingers, and... steals a bunch of cryptocurrency instead.
• The Infinity Gauntlet would still be a problem, sure, but wouldn't that first snap come as a relief?

That's how the recent compromise of JavaScript packages that have been downloaded billions of times feels.

Does the ease with which an unknown threat actor was able to compromise the maintainer of these packages, modify the software, and distribute it highlight the disastrous state of modern software development? Absolutely. But we're lucky—they prioritised getting rich over wreaking havoc.

Here's what happened.

• Aikido said yesterday that 18 packages "were updated to contain a piece of code that would be executed on the client of a website, which silently intercepts crypto and web3 activity in the browser, manipulates wallet interactions, and rewrites payment destinations so that funds and approvals are redirected to attacker-controlled accounts without any obvious signs to the user."
• The packages in question are distributed via NPM, GitHub's package manager and registry for the Node.js ecosystem, and they are collectively downloaded approximately 2 billion times per week.
• In theory, the hacker could have used the ability to modify these packages to do anything; Aikido said they opted to attempt to steal "Ethereum, Bitcoin, Solana, Tron, Litecoin, and Bitcoin Cash."

We don't know how far these malicious packages spread.

• The packages themselves are downloaded billions of times a week, but that's at least partly a byproduct of software build systems constantly fetching and re-fetching a project's dependencies. There's no denying these packages are popular, though, and organisations whose software depends on them should make sure they aren't using the malicious releases.

But was this at least the result of a sophisticated attack? No.

• The maintainer of these packages (who, it should be noted, uses the handle "bad-at-computer" on Bluesky) said they received a two-factor authentication reset email that "looked very legitimate" from "support@npmjs.help" and thought it was benign. It wasn't. All it took to pull off a hack of this scale was a domain name, an email, and the willingness to try.

This isn't a new problem, nor is it exclusive to NPM.

• Nathaniel Mott reported in 2021 that hackers were targeting maintainers of packages used by JavaScript, Python, Ruby, and Java developers in their own software, and even then, the problem had been known for years. The infamous left-pad incident—wherein the deletion of 11 lines of code "broke the internet" because so much software depended on it—happened in 2016.
• The industry has been attempting to address this problem by encouraging the use of software bills of materials (SBOMs), requiring maintainers of widely used packages to secure their accounts with two-factor authentication, among other measures. Yet this incident proves that these measures are not enough. Until the commonly accepted processes for developing, maintaining, and releasing software are changed, these problems will persist.

This time, the Infinity Gauntlet was used to steal cryptocurrency.

• Will the next Thanos snap their fingers with the same intention?
• And which is going to come first, the snap that causes far more damage than a crypto thief, or the arrival of something that can finally stop that snapping altogether?
• Thanos claimed that he's inevitable; are we really just consigning ourselves to hoping that was only true on the silver screen?

SOURCE

https://www.tomshardware.com/tech-industry/cyber-security/javascript-packages-with-billions-of-downloads-were-injected-with-malicious-code-in-worlds-largest-supply-chain-hack-geared-to-steal-crypto-a-phishing-email-is-all-it-took-to-undermine-npm-packages