{"id":10575,"date":"2025-09-29T15:19:06","date_gmt":"2025-09-29T15:19:06","guid":{"rendered":"https:\/\/www.binaryconfidence.com\/?p=10575"},"modified":"2025-11-24T12:11:40","modified_gmt":"2025-11-24T12:11:40","slug":"npm-utok-ked-dodavatelsky-kod-pracuje-proti-vam","status":"publish","type":"post","link":"https:\/\/www.binaryconfidence.com\/en\/npm-utok-ked-dodavatelsky-kod-pracuje-proti-vam\/","title":{"rendered":"NPM Attack: When Supplier Code Turns Against You"},"content":{"rendered":"

On September 8, 2025, part of the software packages in the world\u2019s largest repository, npm, was compromised. The attackers gained access in the most ordinary way: a targeted phishing attack successfully broke into the account of a respected contributor. The security community quickly uncovered the attack, which kept the consequences minimal. But for a brief moment, the digital supply chain that underpins the entire software ecosystem turned against business.<\/em><\/p>\n

The attackers focused on maintainers of popular packages. One of them received a phishing email from a fake domain, which at first glance looked like an official request to update two-factor authentication. He fell for it, and the attackers gained access to his account. They then inserted malicious code into 18 well-known packages.<\/p>\n

 <\/p>\n

\"\"<\/p>\n

 <\/p>\n

These libraries see billions of downloads each month and form the foundation of thousands of other projects, which dramatically increased the potential impact. The malware was designed to target crypto wallets: it intercepted web API calls and changed wallet addresses so that money meant for users or businesses was redirected to the attackers.<\/p>\n

The spread was fast and massive. Automated CI\/CD pipelines pulled the infected versions into tens of thousands of builds Vercel confirmed<\/a>that more than 70 teams had already integrated the malicious versions before the problem was spotted. Within hours of the first distribution, warnings began to circulate, and the maintainer known as Junon deleted nearly all of the compromised packages. The repository admin blocked his account, but later the same day it was restored and the packages were cleaned of malicious code. Financial losses were estimated at around USD 970 \u2014 a trivial sum compared to what might have happened if the attack had lasted longer.<\/p>\n

As a direct response to the npm incident, GitHub announced<\/a>that it will strengthen authentication and publishing processes. For local publishing, it will require two-factor authentication (2FA) and short-lived granular tokens valid for only seven days. At the same time, it is introducing mandatory trusted publishing directly from CI\/CD pipelines using OpenID Connect (OIDC).<\/p>\n

 <\/p>\n

You\u2019re Only as Strong as Your Weakest Supplier<\/h3>\n

When the software supply chain is breached, the consequences don\u2019t stop at financial losses or stolen crypto wallets. The real problem is that attackers gain access directly to the base code relied upon by countless companies and end users \u2014 from communications and manufacturing to logistics, transport, and service delivery. Your product or service could be weaponized in an attack without you even realizing it.<\/p>\n

Compromised code often ends up on darknet forums, for example in China or Russia, where it becomes a \u201cproduct for rent\u201d for other criminals to use in phishing campaigns, data theft, or ransomware. At that point, your reputation no longer matters \u2014 your code has become part of the cybercrime ecosystem, traded like a commodity.<\/p>\n

The legal and regulatory risks are also significant. If it turns out your product shipped with compromised code and attackers used it to access personal data, you could face fines under GDPR or similar laws. In practice, this means not only financial penalties but also long-term loss of trust from clients and partners.<\/p>\n

The npm attack highlights an uncomfortable truth: institutions and companies are only as secure as their weakest supplier. This holds true even for suppliers buried deep within your software. Supply chain compromises bring several major risks:<\/p>\n