{"id":5479,"date":"2025-09-11T11:33:00","date_gmt":"2025-09-11T11:33:00","guid":{"rendered":"https:\/\/signmycode.com\/blog\/?p=5479"},"modified":"2025-09-11T11:34:11","modified_gmt":"2025-09-11T11:34:11","slug":"npm-supply-chain-attack-what-happened-and-how-to-protect-your-software","status":"publish","type":"post","link":"https:\/\/signmycode.com\/blog\/npm-supply-chain-attack-what-happened-and-how-to-protect-your-software","title":{"rendered":"npm Supply Chain Attack: What Happened and How to Protect Your Software"},"content":{"rendered":"\n<h2 class=\"wp-block-heading\" id=\"h-a-new-supply-chain-attack-in-the-npm-ecosystem\">A New Supply Chain Attack in the npm Ecosystem<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">On September 8, 2025, a <a href=\"https:\/\/www.csoonline.com\/article\/4053725\/massive-npm-supply-chain-attack-hits-18-popular-packages-with-2b-weekly-downloads.html\">large-scale npm supply chain attack<\/a> quickly compromised 18 popular packages (with the 18 packages representing <strong>more than 2.6 billion<\/strong> weekly downloads within the bioinformatics ecosystem).<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Attackers hijacked a maintainer&#8217;s account by impersonating npm support in a phishing campaign to upload backdoored versions of popular packages like chalk, debug, ansi-styles, and supports-color.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><strong>Recommended:<\/strong> <a href=\"https:\/\/signmycode.com\/blog\/what-is-software-supply-chain-security-comprehensive-guide\">What Is Software Supply Chain Security? Comprehensive Guide<\/a><\/p>\n\n\n\n<p class=\"wp-block-paragraph\">The attack vectors were crypto wallet transactions in ETH, BTC, SOL, LTC, and BCH. The malicious code monkey-patched fetch and XMLHttpRequest, and silently replaced the destination address of payments, which often leads to malicious wallets.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">npm was able to remove the compromised versions in 2.5 hours; however, projects that were installed or required packages within that time range may have sent malicious code to end users.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"h-summary-of-the-attack\">Summary of the Attack<\/h2>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Initial Access:<\/strong> A PDM phishing email, from support@npmjs[.]help, with a push for two-factor authentication.<\/li>\n\n\n\n<li><strong>Payload: <\/strong>Malicious JavaScript was injected into the index.js files of several open-source packages.<\/li>\n\n\n\n<li><strong>Execution Surface:<\/strong> All client-side (browser) applications that bundle the malicious npm libraries.<\/li>\n\n\n\n<li><strong>Goals:<\/strong> To intercept and redirect crypto transactions.<\/li>\n\n\n\n<li><strong>Timing:<\/strong> September 8, 2025 \u2013 18:30 to 21:00 IST (around two-and-a-half hours).<\/li>\n<\/ul>\n\n\n\n<p class=\"wp-block-paragraph\"><strong>Recommended:<\/strong> <a href=\"https:\/\/signmycode.com\/blog\/github-supply-chain-attack-expose-secrets-across-218-repositories\">GitHub Supply Chain Attack: CVE-2025-30066 and CVE-2025-30154 Expose Secrets Across 218 Repositories<\/a><\/p>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"h-stellar-development-foundation-s-response\">Stellar Development Foundation\u2019s Response<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">The Stellar Development Foundation (SDF) issued a very prompt response indicating that its projects were unaffected.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"h-sdf-s-steps\"><a><\/a>SDF\u2019s Steps:<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>They conducted manual and automated audits of dependencies across all of their GitHub projects.<\/li>\n\n\n\n<li>They pinned npm packages to the last known-safe version.<\/li>\n\n\n\n<li>They advised developers to audit their local builders and pipelines for any exposure.<\/li>\n<\/ul>\n\n\n\n<p class=\"wp-block-paragraph\">They clarified that the malware did not target Stellar Wallets but impacted primarily ETH, BTC, and other ecosystems.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><strong>Recommended:<\/strong> <a href=\"https:\/\/signmycode.com\/blog\/salesloft-drift-supply-chain-attack-hits-palo-alto-networks-and-zscaler\">Salesloft Drift Supply Chain Attack Hits Palo Alto Networks and Zscaler<\/a><\/p>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"h-what-developers-should-do-now\">What Developers Should Do Now?<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">Even if your projects were not hit directly, this incident is a reminder for every organization to publicly cite and disclose any dependence on open-source.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"h-immediate-actions\"><a><\/a>Immediate Actions:<\/h3>\n\n\n\n<ul start=\"1\" class=\"wp-block-list\">\n<li>Audit your dependencies using npm audit, SCA scanners, or third-party services.<\/li>\n\n\n\n<li>Pin dependencies in package.json, or use lockfiles (package-lock.json, yarn.lock).<\/li>\n\n\n\n<li>Investigate any usage of npm install in your build <a href=\"https:\/\/signmycode.com\/blog\/what-is-ci-cd-detailed-guide-on-ci-cd-pipeline\">pipelines<\/a> during the attack and redeploy an application with a safe version.<\/li>\n<\/ul>\n\n\n\n<p class=\"wp-block-paragraph\"><strong>Recommended:<\/strong> <a href=\"https:\/\/signmycode.com\/blog\/software-supply-chain-attacks-notable-examples-and-prevention-strategies\">Software Supply Chain Attacks: Notable Examples and Prevention Strategies<\/a><\/p>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"h-precautions-to-prevent-future-supply-chain-attacks\">Precautions to Prevent Future Supply Chain Attacks<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">Organizations can take a layered approach to secure their software ecosystem:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Utilizing <a href=\"https:\/\/signmycode.com\/blog\/what-is-a-software-bill-of-material-sbom-and-supply-chain-security\">SBOM (Software Bill of Materials)<\/a>:<\/strong> Maintain a detailed catalog of all dependencies so that you can identify malicious or outdated dependencies in several ways, and as needed.<\/li>\n\n\n\n<li><strong>Using Code Signing Certificates:<\/strong> Signing your software using a <a href=\"https:\/\/signmycode.com\/\">trusted Code Signing Certificate<\/a> before distributing it guarantees your software&#8217;s authenticity and integrity.<\/li>\n\n\n\n<li><strong>Securing Private Keys on HSM:<\/strong> Store signing keys in <a href=\"https:\/\/signmycode.com\/blog\/what-is-a-hardware-security-module-role-of-hsms-for-digital-signing\">Hardware Security Modules (HSM)<\/a>, and they will be safeguarded from being stolen or used improperly by an attacker.<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"h-conclusion\">Conclusion<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">Follow dependency pinning, SBOM practices, and use <a href=\"https:\/\/signmycode.com\/digicert-software-trust-manager\">DigiCert Software Trust Manager<\/a>, a secure code signing and software validation process &#8212; to help thwart future supply chain attacks.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>A New Supply Chain Attack in the npm Ecosystem On September 8, 2025, a large-scale npm supply chain attack quickly compromised 18 popular packages (with the 18 packages representing more than 2.6 billion weekly downloads within the bioinformatics ecosystem). Attackers hijacked a maintainer&#8217;s account by impersonating npm support in a phishing campaign to upload backdoored&hellip; <a class=\"more-link\" href=\"https:\/\/signmycode.com\/blog\/npm-supply-chain-attack-what-happened-and-how-to-protect-your-software\">Read More <span class=\"screen-reader-text\">npm Supply Chain Attack: What Happened and How to Protect Your Software<\/span><\/a> <\/p>\n","protected":false},"author":1,"featured_media":5480,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[458,457],"tags":[879],"class_list":["post-5479","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-cyber-security","category-developers-guide","tag-npm-supply-chain-attack","entry"],"yoast_head":"<!-- This site is optimized with the Yoast SEO Premium plugin v24.6 (Yoast SEO v27.3) - https:\/\/yoast.com\/product\/yoast-seo-premium-wordpress\/ -->\n<title>Massive npm Supply Chain Attack: Impact, Lessons &amp; Precautions<\/title>\n<meta name=\"description\" content=\"Know about one of the largest npm supply chain incidents in recent history, the importance of SBOM, and Precautions to Prevent Future Supply Chain Attacks.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/signmycode.com\/blog\/npm-supply-chain-attack-what-happened-and-how-to-protect-your-software\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"npm Supply Chain Attack: What Happened and How to Protect Your Software\" \/>\n<meta property=\"og:description\" content=\"Know about one of the largest npm supply chain incidents in recent history, the importance of SBOM, and Precautions to Prevent Future Supply Chain Attacks.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/signmycode.com\/blog\/npm-supply-chain-attack-what-happened-and-how-to-protect-your-software\" \/>\n<meta property=\"og:site_name\" content=\"SignMyCode - Blog\" \/>\n<meta property=\"article:published_time\" content=\"2025-09-11T11:33:00+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2025-09-11T11:34:11+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/signmycode.com\/blog\/wp-content\/uploads\/2025\/09\/npm-supply-chain-attack.webp\" \/>\n\t<meta property=\"og:image:width\" content=\"912\" \/>\n\t<meta property=\"og:image:height\" content=\"453\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/jpeg\" \/>\n<meta name=\"author\" content=\"Janki Mehta\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Janki Mehta\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"3 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/signmycode.com\\\/blog\\\/npm-supply-chain-attack-what-happened-and-how-to-protect-your-software\",\"url\":\"https:\\\/\\\/signmycode.com\\\/blog\\\/npm-supply-chain-attack-what-happened-and-how-to-protect-your-software\",\"name\":\"Massive npm Supply Chain Attack: Impact, Lessons & Precautions\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/signmycode.com\\\/blog\\\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\\\/\\\/signmycode.com\\\/blog\\\/npm-supply-chain-attack-what-happened-and-how-to-protect-your-software#primaryimage\"},\"image\":{\"@id\":\"https:\\\/\\\/signmycode.com\\\/blog\\\/npm-supply-chain-attack-what-happened-and-how-to-protect-your-software#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/signmycode.com\\\/blog\\\/wp-content\\\/uploads\\\/2025\\\/09\\\/npm-supply-chain-attack.webp\",\"datePublished\":\"2025-09-11T11:33:00+00:00\",\"dateModified\":\"2025-09-11T11:34:11+00:00\",\"description\":\"Know about one of the largest npm supply chain incidents in recent history, the importance of SBOM, and Precautions to Prevent Future Supply Chain Attacks.\",\"breadcrumb\":{\"@id\":\"https:\\\/\\\/signmycode.com\\\/blog\\\/npm-supply-chain-attack-what-happened-and-how-to-protect-your-software#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/signmycode.com\\\/blog\\\/npm-supply-chain-attack-what-happened-and-how-to-protect-your-software\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/signmycode.com\\\/blog\\\/npm-supply-chain-attack-what-happened-and-how-to-protect-your-software#primaryimage\",\"url\":\"https:\\\/\\\/signmycode.com\\\/blog\\\/wp-content\\\/uploads\\\/2025\\\/09\\\/npm-supply-chain-attack.webp\",\"contentUrl\":\"https:\\\/\\\/signmycode.com\\\/blog\\\/wp-content\\\/uploads\\\/2025\\\/09\\\/npm-supply-chain-attack.webp\",\"width\":912,\"height\":453,\"caption\":\"npm Debug and Chalk Packages Compromised\"},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/signmycode.com\\\/blog\\\/npm-supply-chain-attack-what-happened-and-how-to-protect-your-software#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\\\/\\\/signmycode.com\\\/blog\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"npm Supply Chain Attack: What Happened and How to Protect Your Software\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/signmycode.com\\\/blog\\\/#website\",\"url\":\"https:\\\/\\\/signmycode.com\\\/blog\\\/\",\"name\":\"SignMyCode - Blog\",\"description\":\"Code Signing News, Updates\",\"publisher\":{\"@id\":\"https:\\\/\\\/signmycode.com\\\/blog\\\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/signmycode.com\\\/blog\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\\\/\\\/signmycode.com\\\/blog\\\/#organization\",\"name\":\"SignMyCode.com\",\"url\":\"https:\\\/\\\/signmycode.com\\\/blog\\\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/signmycode.com\\\/blog\\\/#\\\/schema\\\/logo\\\/image\\\/\",\"url\":\"https:\\\/\\\/signmycode.com\\\/blog\\\/wp-content\\\/uploads\\\/2021\\\/10\\\/logo1.png\",\"contentUrl\":\"https:\\\/\\\/signmycode.com\\\/blog\\\/wp-content\\\/uploads\\\/2021\\\/10\\\/logo1.png\",\"width\":135,\"height\":86,\"caption\":\"SignMyCode.com\"},\"image\":{\"@id\":\"https:\\\/\\\/signmycode.com\\\/blog\\\/#\\\/schema\\\/logo\\\/image\\\/\"}}]}<\/script>\n<!-- \/ Yoast SEO Premium plugin. -->","yoast_head_json":{"title":"Massive npm Supply Chain Attack: Impact, Lessons & Precautions","description":"Know about one of the largest npm supply chain incidents in recent history, the importance of SBOM, and Precautions to Prevent Future Supply Chain Attacks.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/signmycode.com\/blog\/npm-supply-chain-attack-what-happened-and-how-to-protect-your-software","og_locale":"en_US","og_type":"article","og_title":"npm Supply Chain Attack: What Happened and How to Protect Your Software","og_description":"Know about one of the largest npm supply chain incidents in recent history, the importance of SBOM, and Precautions to Prevent Future Supply Chain Attacks.","og_url":"https:\/\/signmycode.com\/blog\/npm-supply-chain-attack-what-happened-and-how-to-protect-your-software","og_site_name":"SignMyCode - Blog","article_published_time":"2025-09-11T11:33:00+00:00","article_modified_time":"2025-09-11T11:34:11+00:00","og_image":[{"width":912,"height":453,"url":"https:\/\/signmycode.com\/blog\/wp-content\/uploads\/2025\/09\/npm-supply-chain-attack.webp","type":"image\/jpeg"}],"author":"Janki Mehta","twitter_card":"summary_large_image","twitter_misc":{"Written by":"Janki Mehta","Est. reading time":"3 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"WebPage","@id":"https:\/\/signmycode.com\/blog\/npm-supply-chain-attack-what-happened-and-how-to-protect-your-software","url":"https:\/\/signmycode.com\/blog\/npm-supply-chain-attack-what-happened-and-how-to-protect-your-software","name":"Massive npm Supply Chain Attack: Impact, Lessons & Precautions","isPartOf":{"@id":"https:\/\/signmycode.com\/blog\/#website"},"primaryImageOfPage":{"@id":"https:\/\/signmycode.com\/blog\/npm-supply-chain-attack-what-happened-and-how-to-protect-your-software#primaryimage"},"image":{"@id":"https:\/\/signmycode.com\/blog\/npm-supply-chain-attack-what-happened-and-how-to-protect-your-software#primaryimage"},"thumbnailUrl":"https:\/\/signmycode.com\/blog\/wp-content\/uploads\/2025\/09\/npm-supply-chain-attack.webp","datePublished":"2025-09-11T11:33:00+00:00","dateModified":"2025-09-11T11:34:11+00:00","description":"Know about one of the largest npm supply chain incidents in recent history, the importance of SBOM, and Precautions to Prevent Future Supply Chain Attacks.","breadcrumb":{"@id":"https:\/\/signmycode.com\/blog\/npm-supply-chain-attack-what-happened-and-how-to-protect-your-software#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/signmycode.com\/blog\/npm-supply-chain-attack-what-happened-and-how-to-protect-your-software"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/signmycode.com\/blog\/npm-supply-chain-attack-what-happened-and-how-to-protect-your-software#primaryimage","url":"https:\/\/signmycode.com\/blog\/wp-content\/uploads\/2025\/09\/npm-supply-chain-attack.webp","contentUrl":"https:\/\/signmycode.com\/blog\/wp-content\/uploads\/2025\/09\/npm-supply-chain-attack.webp","width":912,"height":453,"caption":"npm Debug and Chalk Packages Compromised"},{"@type":"BreadcrumbList","@id":"https:\/\/signmycode.com\/blog\/npm-supply-chain-attack-what-happened-and-how-to-protect-your-software#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/signmycode.com\/blog\/"},{"@type":"ListItem","position":2,"name":"npm Supply Chain Attack: What Happened and How to Protect Your Software"}]},{"@type":"WebSite","@id":"https:\/\/signmycode.com\/blog\/#website","url":"https:\/\/signmycode.com\/blog\/","name":"SignMyCode - Blog","description":"Code Signing News, Updates","publisher":{"@id":"https:\/\/signmycode.com\/blog\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/signmycode.com\/blog\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/signmycode.com\/blog\/#organization","name":"SignMyCode.com","url":"https:\/\/signmycode.com\/blog\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/signmycode.com\/blog\/#\/schema\/logo\/image\/","url":"https:\/\/signmycode.com\/blog\/wp-content\/uploads\/2021\/10\/logo1.png","contentUrl":"https:\/\/signmycode.com\/blog\/wp-content\/uploads\/2021\/10\/logo1.png","width":135,"height":86,"caption":"SignMyCode.com"},"image":{"@id":"https:\/\/signmycode.com\/blog\/#\/schema\/logo\/image\/"}}]}},"_links":{"self":[{"href":"https:\/\/signmycode.com\/blog\/wp-json\/wp\/v2\/posts\/5479","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/signmycode.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/signmycode.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/signmycode.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/signmycode.com\/blog\/wp-json\/wp\/v2\/comments?post=5479"}],"version-history":[{"count":3,"href":"https:\/\/signmycode.com\/blog\/wp-json\/wp\/v2\/posts\/5479\/revisions"}],"predecessor-version":[{"id":5483,"href":"https:\/\/signmycode.com\/blog\/wp-json\/wp\/v2\/posts\/5479\/revisions\/5483"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/signmycode.com\/blog\/wp-json\/wp\/v2\/media\/5480"}],"wp:attachment":[{"href":"https:\/\/signmycode.com\/blog\/wp-json\/wp\/v2\/media?parent=5479"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/signmycode.com\/blog\/wp-json\/wp\/v2\/categories?post=5479"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/signmycode.com\/blog\/wp-json\/wp\/v2\/tags?post=5479"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}