A total of 18 JavaScript packages that have over 2 billion weekly downloads have been injected with malicious code in what is billed as the largest supply chain hack in history. The compromised code was designed to steal cryptocurrency.
Picture this: Thanos, a Death-obsessed maniac retconned within the Marvel Cinematic Universe to be the most radical environmental activist in history, has assembled the Infinity Gauntlet. With it, he could wipe out half the universe's population. He raises his hand, snaps his fingers, and... steals a bunch of cryptocurrency instead. The Infinity Gauntlet would still be a problem, sure, but wouldn't that first snap come as a relief?
That's kind of how the recent compromise of JavaScript packages that have been downloaded billions of times feels. Does the ease with which an unknown threat actor was able to compromise the maintainer of these packages, modify the software, and distribute it highlight the disastrous state of modern software development? Absolutely. But we're lucky—they prioritized getting rich over wreaking havoc.
Here's what happened. Aikido said yesterday that 18 packages "were updated to contain a piece of code that would be executed on the client of a website, which silently intercepts crypto and web3 activity in the browser, manipulates wallet interactions, and rewrites payment destinations so that funds and approvals are redirected to attacker-controlled accounts without any obvious signs to the user."
The packages in question are distributed via npm, GitHub's package manager and registry for the Node.js ecosystem, and they are collectively downloaded approximately 2 billion times per week. In theory, the hacker could have used the ability to modify these packages to do anything; Aikido said they opted to attempt to steal "Ethereum, Bitcoin, Solana, Tron, Litecoin, and Bitcoin Cash."
We don't know how far these malicious packages spread. The packages themselves are downloaded billions of times a week, but that's at least partly a byproduct of software build systems constantly fetching and re-fetching a project's dependencies. There's no denying these packages are popular, though, and organizations whose software depends on them should make sure they aren't using the malicious releases.
But was this at least the result of a sophisticated attack? No. The maintainer of these packages (who, it should be noted, uses the handle "bad-at-computer" on Bluesky) said they received a two-factor authentication reset email that "looked very legitimate" from "support@npmjs.help" and thought it was benign. It wasn't. All it took to pull off a hack of this scale was a domain name, an email, and the willingness to try.
This isn't a new problem, nor is it exclusive to npm. I reported in 2021 that hackers were targeting maintainers of packages used by JavaScript, Python, Ruby, and Java developers in their own software, and even then, the problem had been known for years. The infamous left-pad incident—wherein the deletion of 11 lines of code "broke the internet" because so much software depended on it—happened in 2016.
The industry has been attempting to address this problem by encouraging the use of software bills of materials (SBOMs), requiring maintainers of widely used packages to secure their accounts with two-factor authentication, etc. Yet this incident proves that these measures are not enough. Until the commonly accepted processes of developing, maintaining, and releasing software change, these problems will persist.
This time, the Infinity Gauntlet was used to steal cryptocurrency. Will the next Thanos snap their fingers with the same intention? And which is going to come first, the snap that causes far more damage than a crypto thief, or the arrival of something that can finally stop that snapping altogether? Thanos claimed that he's inevitable; are we really just consigning ourselves to hoping that was only true on the silver screen?
Follow Tom's Hardware on Google News, or add us as a preferred source, to get our up-to-date news, analysis, and reviews in your feeds. Make sure to click the Follow button!
