npm Supply Chain Cryptocurrency Malware

Byadmblake

What is the Attack? Researchers have identified a large-scale software supply chain campaign targeting the npm ecosystem, leveraging malicious JavaScript packages to distribute a multi-stage cryptocurrency-focused malware framework. The campaign affected numerous npm packages that collectively accumulated more than 2.7 million downloads, significantly increasing the potential victim pool among developers, software organizations, and CI/CD environments….

What is the Attack?

Researchers have identified a large-scale software supply chain campaign targeting the npm ecosystem, leveraging malicious JavaScript packages to distribute a multi-stage cryptocurrency-focused malware framework. The campaign affected numerous npm packages that collectively accumulated more than 2.7 million downloads, significantly increasing the potential victim pool among developers, software organizations, and CI/CD environments. The malware is designed to steal cryptocurrency wallet data, harvest credentials, exfiltrate sensitive information, and deploy additional payloads on compromised systems.

The campaign highlights the growing risk posed by software supply chain attacks, where trusted open-source repositories are abused to distribute malware through legitimate development workflows.

Successful infection may allow attackers to:

• Steal cryptocurrency wallet credentials and digital assets.

• Harvest developer credentials, API keys, and authentication tokens.

• Obtain access to cloud environments and CI/CD platforms.

• Exfiltrate source code and sensitive project data.

• Compromise software build pipelines and downstream software consumers.

• Deploy additional malware or persistence mechanisms on infected systems.

• Facilitate further supply chain compromises through stolen publishing credentials.

What is the recommended Mitigation?

• Audit all recently installed npm dependencies for unauthorized or suspicious packages.

• Implement software composition analysis (SCA) and dependency monitoring solutions.

• Enforce package integrity verification and package provenance validation.

• Rotate npm, GitHub, cloud, and CI/CD credentials if compromise is suspected.

• Restrict the use of long-lived access tokens and enforce least-privilege permissions.

• Monitor developer endpoints and build systems for unusual network activity.

• Implement continuous monitoring for unauthorized package publishing activity.

• Review software supply chain security controls and dependency approval processes.

What FortiGuard Coverage is available?

• FortiGuard Antivirus & Behavior Detection: Detects and blocks malware components, credential theft modules, and suspicious behaviors associated with malicious npm packages and multi-stage payload delivery.

• FortiGuard IOC Service: Added coverage for all publicly disclosed malicious infrastructure and indicators of compromise associated with this campaign at the time of publication.

• FortiGuard IPS Service: Provides protection against known command-and-control communications, malware delivery infrastructure, and exploitation techniques used by follow-on payloads.

• FortiGuard Attack Surface Security Service: Helps identify exposed developer assets, CI/CD infrastructure, and internet-facing systems that may be leveraged following a credential compromise.

• FortiGuard Incident Response Service: Assists organizations in investigating software supply chain compromises, identifying affected systems, assessing credential exposure, and supporting remediation efforts.

• FortiGuard Managed Detection and Response (MDR) Service: Provides continuous monitoring and threat hunting to identify suspicious package activity, credential abuse, unauthorized cloud access, and post-compromise attacker activity.

Related