Large-scale supply chain attack used 218 malicious NPM packages

Ryan Daws is a senior editor at TechForge Media, with a seasoned background spanning over a decade in tech journalism. His expertise lies in identifying the latest technological trends, dissecting complex topics, and weaving compelling narratives around the most cutting-edge developments. His articles and interviews with leading industry figures have gained him recognition as a key influencer by organisations such as Onalytica. Publications under his stewardship have since gained recognition from leading analyst houses like Forrester for their performance. Find him on X (@gadget_ry) or Mastodon (@gadgetry@techhub.social)


A large-scale supply chain attack has been uncovered that used 218 malicious NPM packages.

Researchers from JFrog claim that several of their automated analysers started throwing up alerts regarding a set of packages in the npm registry earlier this week.

Over a few days, the number of packages swelled from around 50 packages to more than 200 (as of March 21st).

The researchers manually analysed the packages and found that it was a targeted attack against the @azure npm scope.

JFrog says the attacker used an automatic script to create accounts and upload malicious packages that cover the entirety of the @azure scope. The firm says that packages from the following scopes were also targeted –  @azure-rest, @azure-tests, @azure-tools and @cadl-lang.

The attack used “typosquatting” to copy the name of a legitimate package but with a simple error.

In this case, the attacker relied on some developers erroneously omitting the @azure prefix when installing a package. For example, running ‘npm install core-tracing’ instead of ‘npm install @azure/core-tracingcontained’.

With the legitimate packages downloaded tens of millions of times per week, it’s likely some developers were caught out. If they were, they’d have been subjected to Personally Identifiable Information (PII) stealers.

JFrog reported its findings to the npm maintainers and said they were “quickly” removed. JFrog gave high praise to the maintainers, saying they take security very seriously which “was demonstrated many times by their actions, such as the preemptive blocking of specific package names to avoid future typosquatting and their two-factor-authentication requirement for popular package maintainers.”

However, JFrog recommends that a CAPTCHA mechanism should be implemented for user creation to prevent mass account creation. The firm also says there’s a need for automatic package filtering as part of a secure software curation process, based on either SAST or DAST techniques (“or preferably – both”).

Azure developers should check any installed packages start with the @azure scope. JFrog says that users of its Xray solution will have been protected as it adds all verified findings to it prior to public disclosure.

(Photo by Possessed Photography on Unsplash)

Related: ‘Protestware’ emerges amid Russia-Ukraine crisis

Want to learn more about cybersecurity from industry leaders? Check out Cyber Security & Cloud Expo. The next events in the series will be held in Santa Clara on 11-12 May 2022, Amsterdam on 20-21 September 2022, and London on 1-2 December 2022.

Explore other upcoming enterprise technology events and webinars powered by TechForge here.

Tags: , , , , , , , , , , ,

View Comments
Leave a comment

Leave a Reply

Your email address will not be published. Required fields are marked *