The npm incident frightened everyone, but ended up being nothing to fret about

The npm incident frightened everyone, but ended up being nothing to fret about

Briefly

"Security professionals and observers across the industry got swept into a pit of fear Monday when an attacker took over and injected malicious code into a series of widely used open-source packages in the node.js package manager, or npm. Despite all that worry, the disaster that many presumed a foregone conclusion was averted and the consequences of the supply-chain attack were short-lived and minimal. Josh Junon, a developer and maintainer of the impacted software packages, took to social media early Monday to confirm his npm account was compromised via social engineering - a two-factor reset email that looked legitimate, he said."

"The attacker quickly posted updated software packages with payloads designed to intercept, manipulate and redirect cryptocurrency activity, according to researchers. Apprehension fueled by the popularity of the 18 packages affected - capturing more than 2 billion downloads per week combined, according to Aikido Security - pushed some defenders to the brink of full-on freak-out mode. Ultimately, the open-source poisoning attack was successful, but impact was thwarted."

"Junon said his account was restored about eight hours after he was duped by the social engineering attack, and infected versions of the packages were available for up to six hours before npm took them down and published stable versions. The most popular of the affected packages include ansi-styles, debug, chalk and supports-color. Many expected the compromise would result in widespread cryptocurrency theft, but the downstream effects of the attack appear negligible."