Yeshen-Asia: Large-Scale NPM Supply Chain Attack

By /

Listen to this Post

Featured Image
A coordinated software supply chain attack dubbed “Yeshen-Asia” has been discovered, leveraging malicious NPM packages. Threat actors used automation to create multiple NPM accounts and email addresses, evading detection by security vendors. Some malicious packages remained undetected for over four months, accumulating 23,000+ downloads.

Key Details

  • Attack Method: Automated NPM account creation to distribute malicious packages.
  • Evasion: No common NPM user or email patterns, making detection difficult.
  • Duration: Some packages remained active for 4+ months.
  • IOCs & Analysis: Detailed in the blog post.

You Should Know: Detecting & Mitigating NPM Supply Chain Attacks

1. Identifying Malicious NPM Packages

Use these commands to inspect installed packages:

 List globally installed NPM packages 
npm list -g --depth=0

Check for known vulnerabilities 
npm audit

Verify package integrity 
npm ci --audit

2. Analyzing Suspicious Packages

Extract metadata and inspect scripts:

 View package metadata 
npm view <package-name>

Download and inspect package contents 
npm pack <package-name> 
tar -xvzf <package-name>.tgz

3. Detecting Malicious Automation

Check for unusual account patterns:

 Check NPM registry logs (if accessible) 
grep -r "new user registration" /var/log/npm/

Monitor API requests for bulk account creation 
journalctl -u npm-registry --since "1 hour ago" | grep "POST /user"

4. Hardening NPM Security

Prevent unauthorized package installations:

 Use NPM's strict SSL mode 
npm config set strict-ssl true

Enable two-factor authentication (2FA) 
npm profile enable-2fa auth-and-writes

5. Windows & Linux Threat Hunting

Search for suspicious network connections:

 Windows: Check active connections 
netstat -ano | findstr "ESTABLISHED"

Linux: Monitor outbound connections 
sudo tcpdump -i eth0 'dst port 80 or 443' -w npm_suspicious_traffic.pcap

What Undercode Say

The Yeshen-Asia campaign highlights critical gaps in open-source supply chain security. Automated attacks bypass traditional detection, requiring:
– Strict registry policies (manual review for high-download packages).
– Behavioral analysis (detecting bulk account creation).
– Mandatory 2FA for NPM publishers.

Future attacks may leverage AI-driven obfuscation, making manual reviews insufficient.

Expected Output

  • Detection: `npm audit` + network monitoring.
  • Prevention: Enforce 2FA, strict-ssl, and automated scanning.
  • Response: Isolate infected systems, revoke compromised packages.

For full technical details, refer to the original blog post.

Prediction

Supply chain attacks will increasingly use AI-generated packages with realistic metadata, forcing adoption of runtime behavioral analysis over static checks.

References:

Reported By: Mccartypaul Softwaresupplychain – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅

Join Our Cyber World:

💬 Whatsapp | 💬 Telegram

Related Posts: