A widespread supply-chain attack targeting JavaScript packages has so far yielded only a small haul — about $1,043 in cryptocurrency — despite an alarmingly wide footprint, researchers say.
Security firm Wiz says attackers used social engineering to take control of a GitHub account belonging to Qix (Josh Junon), a maintainer of popular npm packages. The bad actors pushed malicious updates that activated APIs and crypto wallet interfaces, scanned for on-chain activity and attempted to rewrite transaction recipients and other data.
Wiz’s analysis warns that roughly 10% of cloud environments contain some instance of the injected code, and that 99% of cloud environments rely on at least one of the targeted packages — though not every environment would have pulled the infected updates.
Blockchain data firm Arkham Intelligence reports the attacker wallets have received only about $1,043 so far, mostly in ERC‑20 transfers ranging from $1.29 to $436. JFrog Security also revealed the DuckDB SQL database was impacted and described the incident as one of the largest npm compromises on record.
Rapid detection and mitigation helped limit losses. Multiple organizations detected the malicious release within two hours and removed affected packages. Wiz notes the payload was narrowly targeted and many developers run protections that can flag suspicious package behavior, which reduced the exploit’s reach.
Risk note: software supply-chain compromises can scale quickly and give attackers broad access; teams should lock dependency versions, enable package signing, implement dependency scanning, restrict runtime permissions, apply least-privilege controls and monitor for anomalous package activity.
This incident underscores the need for continuous supply-chain visibility and stronger safeguards across development pipelines to prevent similar attacks from having larger financial impact.
Source: Decrypt. Read the original coverage for full details.
