LR pixel

npm Supply Chain Attack

von | 24. Sep. 2025 | Unkategorisiert | 0 Kommentare

What is the Attack?

On September 8, 2025, attackers phished the npm maintainer “qix” and stole their two-factor authentication (2FA) credentials. With that access, they published malicious versions of some very popular npm packages (including debug, chalk, and ansi-styles).

The impact is considered high risk for applications that serve frontend JavaScript, especially those handling payments, cryptocurrency, or wallet flows. Reports indicate that these compromised versions were live for about two hours before removal.

According to the CISA Alert on this incident, the campaign also involved a self-replicating worm – publicly known as “Shai-Hulud” – which compromised over 500 packages. After gaining initial access, the malicious actor deployed malware that scanned environments for sensitive credentials. The attacker specifically targeted GitHub Personal Access Tokens (PATs) and API keys for major cloud platforms, including Amazon Web Services (AWS), Google Cloud Platform (GCP), and Microsoft Azure.

What is the recommended Mitigation?

• Dependency Controls

Pin dependencies to known-safe versions.

Blocklist malicious versions in private registries/proxies.

Rebuild from a clean state and invalidate CDN caches.

• Credential Hygiene

Rotate npm, GitHub, and cloud tokens.

Enforce phishing-resistant MFA (e.g., hardware keys).

• CI/CD Hardening

Audit secrets, webhooks, and GitHub Actions.

Enable secret scanning and branch protections.

Add guardrails to detect tampered dependencies before production build.

• Network & Runtime Defense

Block outbound traffic to known exfiltration domains.

Continuously monitor for new IoCs related to npm compromise.

What FortiGuard Coverage is available?

  • Web Filtering: Blocks access to domains controlled by attackers.

  • Indicators of Compromise (IOCs) Service: FortiGuard Labs has blocked all known linked Indicators of Compromise (IOCs), and the team is continuously monitoring for emerging threats and new IOCs.

  • FortiGuard Antivirus & Behavior Detection: Detects malicious JS/HTML payloads (Shai-Hulud) from poisoned npm packages

    and advanced behavioral analysis to detect and block unknown threats.

  • FortiEDR / FortiClient: Detects suspicious script execution and unauthorized Git/token harvesting on endpoints.

  • Organizations suspecting a compromise can contact the FortiGuard Incident Response team for rapid investigation and remediation support.