Supply-chain attacks on open source software are getting out of hand

Threat Score:

4 articles

100.0% similarity

2 days ago

Activity Timeline

4 articles

Click to navigate

Jul 23

Jul 24

Jul 25

Oldest

Latest

Key Insights

Recent supply chain attacks on npm packages have compromised multiple developer accounts, injecting backdoor malware into popular JavaScript utilities, including the widely used 'is' package.

The 'is' package, with 2.8 million weekly downloads, was infected for approximately six hours before being removed, affecting around 5,000 users who downloaded the malicious version.

Attackers gained access via phishing campaigns, leading to unauthorized account changes and the distribution of malware through compromised packages.

Immediate actions required include auditing npm package dependencies, updating to clean versions, and enhancing security measures for developer accounts to prevent phishing attacks.

Threat Overview

A series of supply chain attacks have targeted npm packages, notably the 'is' package, which was compromised to distribute backdoor malware affecting approximately 5,000 users [1][4]. The attackers exploited compromised developer accounts through phishing, allowing them to push malicious updates that went undetected for hours [2][3]. This incident underscores the vulnerability of open-source software supply chains and the potential for widespread impact on developers and organizations relying on these packages [1][2]. Security teams should immediately audit their npm dependencies, ensure they are using clean versions, and implement stronger phishing defenses for developers [3][4].

Tactics, Techniques & Procedures (TTPs)

T1566.001

Spearphishing Attachment - Phishing campaigns targeting developer accounts to gain access [3][4]

T1078

Valid Accounts - Compromised developer accounts used to publish malicious packages [1][2]

T1203

Exploitation for Client Execution - Distribution of malware through compromised npm packages [1][4]

T1566.002

Spearphishing Link - Phishing links used to hijack developer accounts [3][4]

Timeline of Events

2025-07-19

Compromised version of 'is' package released with malware [1]

2025-07-19

Malware detected and reported by maintainer [1]

2025-07-25

Reports of multiple npm packages compromised and malware distribution confirmed [2]

Ongoing

Continued monitoring for supply chain attacks on open source software [2][3]

Generated 12 hours ago

Recent Analysis

AI analysis may contain inaccuracies

4 articles

Supply-chain attacks on open source software are getting out of hand

Ars Technica • 21 hours ago

It has been a busy week for supply-chain attacks targeting open source software available in public repositories, with successful breaches of multiple developer accounts that resulted in malicious packages being pushed to unsuspecting users. The latest target,according tosecurity firm Socket, is JavaScript code available on repository npm. A total of 10 packages available from the npm page belonging to global talent agency Toptal contained malware and were downloaded by roughly 5,000 users befor

Score

100.0% similarity

Supply chain attack compromises npm packages to spread backdoor malware

CSO Online • 1 day ago

In a newly discovered supply chain attack, attackers last week targeted a range of npm-hosted JavaScript type testing utilities, several of which were successfully compromised to distribute malware. Anyone automatically downloading these packages would have been exposed to a backdoor supply chain attack until cleaned versions were installed. In one example on July 19, attackers loaded the popular is npm JavaScript type testing utility with malware that went unnoticed for six hours. The bad news

Score

100.0% similarity

NPM package ‘is’ with 2.8M weekly downloads infected devs with malware

BleepingComputer • 2 days ago

NPM package ‘is’ with 2.8M weekly downloads infected devs with malware Bill Toulas July 23, 2025 11:57 AM 0 The popular NPM package 'is' has been compromised in a supply chain attack that injected backdoor malware, giving attackers full access to compromised devices. This occurred after maintainer accounts were hijacked via phishing, followed by unauthorized owner changes that went unnoticed for several hours, potentially compromising many developers who downloaded the new releases. The 'is' pac

Score

96.0% similarity

High-Value NPM Developers Compromised in New Phishing Campaign

SecurityWeek • 2 days ago

Hackers have injected malware into popular NPM packages after compromising several developer accounts in a fresh phishing campaign.

Score

96.0% similarity

ATTACK TYPES

Phishing

Supply Chain Attack

Command and Control

Remote Code Execution

Data Exfiltration

MITRE ATT&CK

Phishing

Screen Capture

PLATFORMS

Windows

Linux

macOS

RANSOMWARE

core

One

Snatch

Bluesky

DOMAINS

npmjs.com

npnjs.org

npnjs.com

webhook.site

npmjs.org

VULNERABILITIES

Remote Code Execution

INDUSTRIES

Communications

COMPANIES

GitHub

MALWARE

STOP

BlueSky

Snatch

Dark Shades

Rogue

CLUSTER INFORMATION

Cluster #1351

Created 2 days ago

Semantic Algorithm

THREAT HUNTING

THREAT INTELLIGENCE

BUSINESS INTELLIGENCE

Save to Folder

Cluster Intelligence

THREAT HUNTING

THREAT INTELLIGENCE

BUSINESS INTELLIGENCE

Activity Timeline

Key Insights

Threat Overview

Tactics, Techniques & Procedures (TTPs)

Timeline of Events

Related Articles

Supply-chain attacks on open source software are getting out of hand

Supply chain attack compromises npm packages to spread backdoor malware

NPM package ‘is’ with 2.8M weekly downloads infected devs with malware

High-Value NPM Developers Compromised in New Phishing Campaign

Save to Folder

Cluster Intelligence