"An npm account compromise infected 314 npm packages with malware, including size-sensor, echarts-for-react, timeago.js, and packages scoped to @antv, in a 22-minute burst of activity in the early hours of Tuesday morning."
"The malware reads environment variables and scans files to find credentials for GitHub, npm, cloud platforms including AWS, Microsoft Azure, and Google Cloud, Docker, Stripe, and more. The code also attempts to escape container boundaries. Stolen secrets are exfiltrated to a new GitHub repository."
"The malware injects settings files into other local projects on a developer machine, for execution by Claude Code or Codex, and further abuses GitHub as a C2 (command-and-control) backdoor via malicious repositories and Python code that downloads and executes content from them."
"The compromised account, i@hust.cc, belongs to a developer based in Hangzhou, China. Security researcher Nicholas Carlini reported the malware on GitHub, and the the hust.cc account closed the issues and marked them as "fixed" within an hour. This means the malware report on this and other repositories is hidden unless a developer looks for closed issues."
An npm account compromise infected 314 npm packages with malware, including widely used modules such as size-sensor and echarts-for-react. The activity occurred in a 22-minute burst, and the most downloaded impacted packages included size-sensor, echarts-for-react, @antv/scale, and timeago.js. The compromised account belonged to a developer in Hangzhou, China, and GitHub issues were closed and marked fixed within an hour, hiding reports unless searched. Some malicious versions were deprecated or removed from npm. The malware read environment variables, scanned files for credentials across GitHub, npm, major cloud providers, Docker, and Stripe, attempted container escape, and exfiltrated stolen secrets to a new GitHub repository. It also injected settings into local projects for execution by Claude Code or Codex and used GitHub repositories and Python code as command-and-control to download and run additional content. The wave was automated using a stolen token.
#npm-supply-chain-attacks #javascript-malware #credential-theft #github-command-and-control #cloud-security
Read at theregister
Unable to calculate read time
Collection
[
|
...
]