NPM ecosystem hit with two new supply chain compromises
Summary
Two significant supply chain compromises have affected the npm ecosystem, impacting multiple packages from AsyncAPI and Jscrambler Code Integrity. Attackers gained access through compromised development credentials and exploited a known vulnerability in GitHub Actions CI/CD workflows to inject malware into open-source packages. Affected organizations are advised to rebuild systems from clean images and rotate all credentials.
IFF Assessment
This article details a successful supply chain attack that compromised popular open-source packages, posing a direct threat to developers and the software they build.
Defender Context
This incident underscores the critical need for robust supply chain security practices, including stringent credential management and careful monitoring of CI/CD pipelines. Defenders should be vigilant for unauthorized changes to package manifests and source code, and implement strict controls on pull request workflows that execute untrusted code.