Ashutosh reports:
The recent npm supply chain breach shows just how fragile open source ecosystems can be when trust in a single maintainer account is abused. Hackers tricked the maintainer of chalk, debug, ansi-styles, and several other popular npm packages with a phishing email disguised as official support. Once they gained access, they pushed malicious code into 18 npm packages that together see more than two billion downloads every week. Billions of downloads tied back to libraries that developers include almost without thinking.
The malicious code was designed with one purpose to target crypto wallets. When installed, it scans for browser-based wallets like MetaMask. At the point of approving a transaction, it silently replaced the recipient’s address with one controlled by the attackers. From the user’s point of view, nothing looked suspicious.The wallet interface showed the same flow, but the funds moved somewhere else. This kind of invisible theft is hard to spot until the money is already gone.
Read more at Coininfomania.
A quick response significantly limited the damage. Naga Avan-Nomayo reports that Charles Guillemet, Ledger’s CTO, claimed there were almost no victims:
Ledger’s chief technology officer said Tuesday that a widely watched supply-chain attack on the Node Package Manager ecosystem “fortunately failed,” with “almost no victims,” after a phishing campaign let attackers publish malicious updates to popular JavaScript packages before the compromise was detected and shut down.