A recent supply chain attack compromised several npm-hosted JavaScript type testing utilities to distribute malware. For example, a malicious version of the popular utility is was published after maintainers' accounts were hijacked. This infected version was online for six hours before npm admins restored the earlier version, v3.3.0. The attack affected multiple libraries, with attackers using phishing tactics to gain access to maintainer accounts. Affected packages received millions of downloads weekly, making them attractive targets for attackers.
In a newly discovered supply chain attack, attackers last week targeted a range of npm-hosted JavaScript type testing utilities, several of which were successfully compromised to distribute malware.
The is utility offers runtime external data validation and error checking. It's not clear how many packages would have updated to the malware-infected version of is during the time it was online.
The infected version was removed by npm admins and v3.3.0 reinstated as the latest. Version 3.3.2 has since been published in its place.
According to supply chain defense vendor Socket, affected packages targeted included eslint-config-prettier, eslint-plugin-prettier, synckit@0.11.9, @pkgr/core@0.2.8.
Collection
[
|
...
]