Threat actors were also more likely to have exploited inadequate npm maintainer account security in conducting the attack.
Around a dozen npm packages, including the widely used 'country-currency-map' package and other cryptocurrency-related packages, have been hijacked with malicious JavaScript code to facilitate the compromise of environment variables.
According to BleepingComputer, these variables included API and encryption keys, as well as cloud and database credentials. The analysis from Sonatype found only country-currency-map, among nine other infostealer-laced packages, had been removed from npm, which the company believed had been targeted by threat actors using the same technique.
"Given the concurrent timing of the attacks on multiple packages from distinct maintainers, the first scenario (maintainer accounts takeover) appears to be a more likely scenario as opposed to well-orchestrated phishing attacks," said Sonatype.
Threat actors were also more likely to have exploited inadequate npm maintainer account security in conducting the attack, as evidenced by the absence of malware compromise among the impacted npm projects' respective GitHub repositories.
Written by
Dan Raywood is a B2B journalist with 25 years of experience, including covering cybersecurity for the past 17 years. He has extensively covered topics from Advanced Persistent Threats and nation-state hackers to major data breaches and regulatory changes.
He has spoken at events including 44CON, Infosecurity Europe, RANT Forum, BSides Scotland, Steelcon and the National Cyber Security Show, and served as editor of SC Media UK, Infosecurity Magazine and IT Security Guru. He was also an analyst with 451 Research and a product marketing lead at Tenable.
