The largest supply-series agreement in the history of NPM ecosystem has affected all the cloud environment, but the attacker made a little profit from it.
The attack occurred earlier this week when Anuhar Josh Junn (QIX) fell for a password reset fishing greed and many of them compromised on highly popular NPM packages, among them Stalking And Degub-js, This is cumulatively more than 2.6 billion weekly downloads.
After achieving access to the Junn’s account, the attackers pushed malicious updates with malicious modules, which the danger stole the actor to stole the Cryptocurrency by redressing the transaction.
The open-source software community quickly discovered the attack, and all malicious packages were removed within two hours.
According to the researchers at the Cloud Security Company Vis, one or more compromised package, which are fundamental construction blocks for almost any JavaScript/node project, was used in 99% of the cloud environment.
During the two -hour window they were available for download, compromised packages were drawn by about 10% cloud environment.
“During the low 2-hour time limit, the malicious versions were available on the NPM, the malicious code successfully reached 1 in the 10 cloud environment,” Explained Wiz.
“It acts to demonstrate how fast the malicious code can be publicized in such supply chain attacks.”
The 10% figure is based on the visibility of the customer cloud environment, as well as WIZ in public sources. Although it may not be a representative percentage, it is still a sign of rapid spread and access to attack.
The attackers earned less than $ 1,000
Although the attack caused remarkable disruption, companies require a significant number of hours for cleaning, reconstruction and auditing, safety implications are negligible, such as danger like the actor’s benefits.
According to an analysis by Safety coalitionInjected codes The Cryptocurrency wallet address exchange with targeted browser environment, hooking atherium and solana signing request, attacker-invasive (crypto-jacking).
The type of payload is one that saves companies that have pulled the compromised equipment from a very serious security event, as the danger actor may have used his reach for reverse shell, can later be transferred to the network, or planting destructive malware.
Despite the massive and many victims of the attack, the attackers were able to divert only five cents ATH and an almost unknown memecoin of $ 20 value.
Socket researchers published a report yesterday, alerting the same fishing campaign Also impressed duckdbAncharcate account, compromising the packages of the project with the same crypto-chori code.
According to him, the benefits of the attackers discovered about $ 429, $ 429 in Atherium, $ 46 in Solana, and BTC, Tron, BCH and LTC have small amounts in small quantities.
It is also noted that the attacker’s wallet addresses that keep in any important quantity have been flagged off, which limits their ability to convert or use small money they have made.
The passwords broke in 46% of the atmosphere, almost doubled by 25% last year.
Picus Blue Report 2025 Now get a wider look at more conclusions on prevention, detection and data exfIs.
