Supply Chain Compromise Pushes Credential Stealer via Popular npm Package
A widely depended-on npm package was briefly published with malicious post-install scripts targeting developer credentials.
A popular npm package with millions of weekly downloads was briefly published with malicious post-install scripts that exfiltrated environment variables and cloud credentials from developer machines and CI runners.
Timeline
The malicious version was live for several hours before being yanked by the registry. CI systems that ran installs during the window are presumed compromised.
What To Do
- Audit lockfiles for the affected version range.
- Rotate any credentials that were present in environments that ran installs during the window.
- Pin and verify dependency hashes; consider a private package proxy.
Focus is on impact and remediation only; technical IOCs are available via the linked advisories.
Sources
- npm advisory · Github
Disclaimer: CyberBrief HQ articles are for informational purposes only and do not constitute security advice for any specific environment. Always validate guidance against your own controls and vendor advisories before acting.