Malicious AsyncAPI Packages in npm: Supply Chain Attack

Photo: BleepingComputer
Quick answer
Malicious AsyncAPI packages in npm were found distributing a credential-stealing trojan as part of a supply chain attack.
Five malicious versions of AsyncAPI-related packages have been identified in the npm repository. Attackers used them to distribute a remote access trojan capable of stealing credentials and other sensitive information from infected devices.
The supply chain attack affected developers using these packages in their projects. The malicious code was disguised as legitimate updates, making detection difficult. Cybersecurity experts note that such incidents are becoming increasingly common, particularly in open-source ecosystems.
Experts recommend that developers thoroughly vet dependencies before installation and use automated security analysis tools like npm audit. Keeping up with updates and vulnerability notifications for used libraries is also essential.
The AsyncAPI project has already removed the infected package versions from the repository, but the incident serves as a reminder to strengthen security measures when working with third-party components.
Common questions
- What is a supply chain attack in the context of npm?
- A supply chain attack in npm involves injecting malicious code into popular packages or libraries, which attackers then use to distribute malware to developers who install these dependencies in their projects.
- How can I protect against malicious packages in npm?
- To stay protected, verify package reputations, use dependency analysis tools like npm audit, and only update dependencies from trusted sources. Monitoring vulnerability reports is also crucial.
- What data can be stolen by malware in npm packages?
- Malicious packages may steal credentials, browser data, cookies, system information, and other sensitive data stored on the developer's device.
Dzen feed: /feed/dzen.xml · RSS: /feed.xml