NPM Package is Hijacked: A Wake-Up Call for Open Source Security

Listen to this Post

🐢▶️ Listen🚀

Introduction

A widely used NPM package, “is,” with over 2.7 million weekly downloads, was recently compromised in a sophisticated phishing attack. Hackers injected malware that established persistent remote access, stole environment variables, and remained active even after package removal. This incident highlights critical vulnerabilities in open-source supply chains and the urgent need for stronger security practices.

Learning Objectives

• Understand how attackers exploited the NPM ecosystem via phishing and weak DMARC policies.
• Learn how to detect and mitigate similar supply chain attacks.
• Implement best practices for securing dependencies and developer environments.

You Should Know

1. How the Attack Worked: WebSocket-Based C2 Malware

The malware established a WebSocket connection to the attackers’ server, enabling remote code execution.

Detecting Suspicious WebSocket Connections (Linux):

netstat -tulnp | grep -i websocket

Steps:

1. Run the command to check active WebSocket connections.

2. Investigate any unknown IPs or domains.

3. Block malicious endpoints using `iptables`:

sudo iptables -A OUTPUT -d <malicious-ip> -j DROP

2. Identifying Compromised NPM Packages

Attackers injected malicious code into multiple packages, including `eslint-config-prettier` and @pkgr/core.

Scan for Malicious Dependencies:

npm audit

Steps:

1. Run `npm audit` to detect known vulnerabilities.

1. Use `npm ls` to list all installed dependencies.

3. Manually review `package-lock.json` for suspicious scripts.

3. Removing Persistent Malware

The malware survived package deletion by rewriting local files like index.js.

Find and Remove Malicious Files (Linux/Windows):

find / -name "index.js" -exec grep -l "eval(" {} \;

Steps:

1. Search for files containing malicious `eval()` calls.

2. Delete or quarantine infected files.

3. Reinstall clean versions of affected packages.

4. Securing Environment Variables

The malware stole sensitive credentials stored in environment variables.

Encrypting Environment Variables (Linux):

openssl enc -aes-256-cbc -salt -in .env -out .env.enc

Steps:

1. Encrypt `.env` files before committing to Git.

1. Use a secrets manager (AWS Secrets Manager, HashiCorp Vault).

3. Restrict file permissions:

chmod 600 .env

5. Preventing Future Attacks with DMARC/DKIM

The attack succeeded due to missing DMARC protections on npm’s domain.

Verify DMARC/DKIM Records:

dig TXT _dmarc.npmjs.com

Steps:

1. Ensure your organization’s domain has DMARC/DKIM configured.

2. Set policies to reject spoofed emails:

v=DMARC1; p=reject; rua=mailto:[email protected]

1. Using OSS Rebuild for Supply Chain Security
   Google’s OSS Rebuild detects tampered packages by comparing rebuilt versions with published ones.

Check Package Integrity:

npm ci --ignore-scripts

Steps:

1. Use `–ignore-scripts` to prevent post-install attacks.

2. Verify package checksums with `shasum`.

7. Isolating Development Environments

A victim had to replace their SSD and reinstall Windows due to the malware’s persistence.

Use Docker for Safe Development:

docker run --rm -it -v $(pwd):/app node:latest bash

Steps:

1. Develop in disposable containers to limit malware spread.

2. Avoid running `npm install` on host machines.

What Undercode Say

• Key Takeaway 1: Open-source maintainers are high-value targets—phishing remains a top attack vector.
• Key Takeaway 2: Supply chain attacks are evolving; manual audits and automated tools like OSS Rebuild are essential.

Analysis:

This attack underscores the fragility of open-source ecosystems. While initiatives like OSS Rebuild help, developers must adopt stricter dependency hygiene, multi-factor authentication for package publishers, and isolated development environments. The incident also highlights the need for npm and other registries to enforce stronger email security (DMARC) and package signing.

Prediction

Future attacks will increasingly target lesser-known but widely used dependencies, leveraging AI-generated phishing emails to deceive maintainers. Organizations will shift towards zero-trust development pipelines, requiring cryptographic verification for every dependency. Until then, vigilance and automation remain our best defenses.

🎯Let’s Practice For Free:

IT/Security Reporter URL:

Reported By: Hurkankalan Un – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow UndercodeTesting & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin | 🦋BlueSky