this post was submitted on 08 Sep 2025
7 points (100.0% liked)

Pulse of Truth

1653 readers
87 users here now

Cyber Security news and links to cyber security stories that could make you go hmmm. The content is exactly as it is consumed through RSS feeds and wont be edited (except for the occasional encoding errors).

This community is automagically fed by an instance of Dittybopper.

founded 2 years ago
MODERATORS
krogoth
7
Hackers hijack npm packages with 2 billion weekly downloads in supply chain attack (www.bleepingcomputer.com)
submitted 1 month ago by lemmydev2 to c/pulse_of_truth
1 comments fedilink hide all child comments
 

In what is being called the largest supply chain attack in history, attackers have injected malware into NPM packages with over 2.6 billion weekly downloads after compromising a maintainer's account in a phishing attack. [...]

top 1 comments
sorted by: hot top controversial new old
[–] bleistift2@sopuli.xyz 3 points 1 month ago* (last edited 1 month ago)

The packages hijacked so far collectively have over 2.6 billion downloads every week:

  • backslash (0.26m downloads per week)
  • chalk-template (3.9m downloads per week)
  • supports-hyperlinks (19.2m downloads per week)
  • has-ansi (12.1m downloads per week)
  • simple-swizzle (26.26m downloads per week)
  • color-string (27.48m downloads per week)
  • error-ex (47.17m downloads per week)
  • color-name (191.71m downloads per week)
  • is-arrayish (73.8m downloads per week)
  • slice-ansi (59.8m downloads per week)
  • color-convert (193.5m downloads per week)
  • wrap-ansi (197.99m downloads per week)
  • ansi-regex (243.64m downloads per week)
  • supports-color (287.1m downloads per week)
  • strip-ansi (261.17m downloads per week)
  • chalk (299.99m downloads per week)
  • debug (357.6m downloads per week)
  • ansi-styles (371.41m downloads per week)

[…]

[…] there are specific criteria that must be met for an app to have been affected, which significantly decreases the impact. This includes:

  • A fresh install between ~9 AM and ~11.30 AM ET [13:00 – 15:30 UTC on 8th Sep, 2025], when the packages were compromised
  • Package-lock.json was created during that time
  • Vulnerable packages in direct or transient dependencies