Ax Sharma reports:
Security researchers have identified at least 187 npm packages compromised in an ongoing supply chain attack, with a malicious self-propagating payload to infect other packages.
The coordinated worm-style campaign dubbed ‘Shai-Hulud’ started yesterday with the compromise of the @ctrl/tinycolor npm package, which receives over 2 million weekly downloads.
Since then, the campaign has expanded significantly and now includes packages published under CrowdStrike’s npm namespace.
Yesterday, Daniel Pereira, a senior backend software engineer, alerted the community to a large-scale software supply chain attack affecting the world’s largest JavaScript registry, npmjs.com.
Read more at Bleeping Computer.