On September the 8th, the main developer of multiple and very popular NPM packages, Josh Junon posted his NPM account has been compromised. The attacker used his account to publish new versions of packages that contain a piece of code that would be executed on the client of a website, which silently intercepts crypto and web3 activity in the browser, manipulates wallet interactions, and rewrites payment destinations so that funds and approvals are redirected to attacker-controlled accounts without any obvious signs to the user.
The packages and versions identified with malware at the time of writing this post are the following ones:
- ansi-styles@6.2.2
- debug@4.4.2
- chalk@5.6.1
- supports-color@10.2.1
- strip-ansi@7.1.1
- ansi-regex@6.2.1
- wrap-ansi@9.0.1
- color-convert@3.1.1
- color-name@2.0.1
- is-arrayish@0.3.3
- slice-ansi@7.1.1
- color@5.0.1
- color-string@2.1.1
- simple-swizzle@0.2.3
- supports-hyperlinks@4.1.1
- has-ansi@6.0.1
- chalk-template@1.1.1
- backslash@0.2.1
The core maintainer has been working on recovering the access and removing those versions from the repositories. The compromised packages have been already removed from the NPM repositories. In this post you can find more information from the main developer, timelines and why other contributors could be affected by this issue.
[UPDATED Sept the 9th]
The ongoing npm supply chain attack has now spread to another high-profile maintainer. The npm account "duckdb_admin", was breached and multiple malicious versions were published.
- duckdb@1.3.3
- @duckdb/duckdb-wasm@1.29.2
- @duckdb/node-api@1.3.3
- @duckdb/node-bindings@1.3.3
Additional packages were also published with the same payload but have negligible downloads:
- prebid@10.9.1
- prebid@10.9.2
- @coveops/abi@2.0.1
[UPDATED Sept 19th]
The list of packages continues growing, we are checking new updates from the list published at https://socket.dev/blog/ongoing-supply-chain-attack-targets-crowdstrike-npm-packages
Is any Bitnami application affected by the NPM compromised packages?
No. The Bitnami team has been committed to check this issue and, with the information of packages and versions provided, concluded that none of the applications of the catalog or any of the internal systems were affected.
How can I check if any of the applications of the catalog is affected?
The Visual Software Knowledge Graph in Bitnami Secure Images makes it easy to organize complex security metadata, with continuous SBOM scanning that helps you quickly discover and act on vulnerability remediations in your open source software.
The process to check if any application is affected by any of those NPM packages compromised is simple:
- Search into the packages database by name and version. It is also possible to use the Package URL.
- Click on the package name and verify the list of the “Affected Applications”.
If there is any vulnerable package, check the column “Latest App Version” and check if already have any new version available in your registry.
- The Knowledge Graph functionality allow customers to answer questions for the whole catalog:
- Which applications and versions include a specific package?
- What are the dependant packages of that one and the application?
- What applications are affected by a specific CVE?
For this specific case, Bitnami Secure Image customers can check the specific NPM package and version and find the list of applications that ship the package. In the screenshot below, we show a previous version of the NPM “debug” package that is not affected and the list of apps that contains it.
Do you want to know how the Bitnami Secure Images catalog can help you to manage security issues? Reach out to us and book a demo to learn more!