[GoLUG] Today's Node / NPM malware attack news

[Ron]

Hendrik Boom wrote on 2025-08-27 04:43:

>> I personally am very hesitant to include any old node package
>> unless it's widely used for that reason.
>> 
> I have become  hesitant to include any node package.

There are some really good packages in NPM / node, but for today's news:


> Nx NPM packages poisoned in AI-assisted supply chain attack
> 
> Stolen dev credentials posted to GitHub as attackers abuse CLI tools 
> for recon
> 
> Nx is the latest target of a software supply chain attack in the NPM 
> ecosystem, with multiple malicious versions being uploaded to the
> NPM registry on Tuesday evening.

Looks pretty bad. Not sure what an "open source code base management
platform"is / does.


> To our knowledge, this is one of the first documented cases of 
> malware coercing AI‑assistant CLIs to assist in reconnaissance.



They are not saying how the devs first got hacked in this watering hole
attack.

> As for how the attacker gained access to Nx's NPM account, Wiz said
> it currently believes that a token, which had publishing rights to
> the compromised packages, was compromised through unspecified means.


The repo was infected for ~8 hours.

https://www.theregister.com/2025/08/27/nx_npm_supply_chain_attack/