npm Supply Chain Attacks: Why They Keep Happening and How to Defend
npm supply chain attacks continue to pose significant risks to developers and organizations. These attacks often involve compromised maintainer accounts that lead to the distribution of malicious packages. To mitigate these risks, teams are encouraged to adopt lockfile-first installs and utilize tools for static analysis.
- ▪Every few months, a new npm package gets hijacked, shipping malware to users who run npm install.
- ▪Compromised maintainer accounts often result from leaked tokens, reused passwords, or phishing attacks.
- ▪npm's structural choices, such as running post-install scripts by default, make it more vulnerable compared to other package managers.
Opening excerpt (first ~120 words) tap to expand
try { if(localStorage) { let currentUser = localStorage.getItem('current_user'); if (currentUser) { currentUser = JSON.parse(currentUser); if (currentUser.id === 3926669) { document.getElementById('article-show-container').classList.add('current-user-is-article-author'); } } } } catch (e) { console.error(e); } pickuma Posted on May 18 • Originally published at pickuma.com npm Supply Chain Attacks: Why They Keep Happening and How to Defend #webdev #devops #cloud #astro Every few months, a new npm package gets hijacked, ships malware to anyone who runs npm install, and the cycle repeats. The October 2021 ua-parser-js compromise. The 2022 node-ipc protestware. The recurring typosquats. The maintainer accounts taken over via phishing or expired domains.
…
Excerpt limited to ~120 words for fair-use compliance. The full article is at DEV.to (Top).
Discussion
0 commentsMore from DEV.to (Top)
