Threat Advisory: NPM Supply Chain Attacks

Executive Snapshot

So far in 2025, Node Package Manager (NPM) supply-chain attacks have escalated in both scale and sophistication, with incidents ranging from high-impact maintainer account takeovers affecting billions of downloads to stealthy typo-squatted libraries that harvested crypto keys, patched local applications, and persisted in developer environments. These campaigns revealed systemic weaknesses in identity protection, package verification, and dependency hygiene, underscoring the urgent need for organizations to treat open-source repository intake as a high-risk, externally exposed surface.

UltraViolet Cyber Threat Intelligence & Detection Engineering (TIDE) Team recommends the following actions for organizations with in-house development teams or custom software managed by outside vendors:

• Enforce strong maintainer and automation security: Require hardware-based MFA, scoped tokens, and regular rotation of credentials across all development and CI/CD pipelines.
• Implement package provenance and pinning controls: Use lockfiles, signed artifacts (Sigstore/SLSA), and internal mirrors to prevent unverified package drift.
• Restrict risky build behaviors: Block or audit postinstall/network scripts and disable egress during dependency installation in production environments.
• Continuously monitor dependencies and runtime behavior: Employ SBOMs, diff analysis, and runtime telemetry to detect unexpected API calls, wallet interception, or environment variable exfiltration.
• Develop and rehearse supply-chain incident playbooks: Prepare for rapid rollback, dependency patching, and downstream customer notifications in the event of a compromised library.

TIDE Team Analysis

Throughout 2025, NPM was again a top target for software supply-chain attackers who combined maintainer account takeovers, typo-squatting, and functional cover tactics to slip wallet drainers, credential stealers, and destructive logic into developer workflows. The most significant breach, disclosed in September, stemmed from a phishing campaign against a trusted maintainer and led to the compromise of 20 high-profile packages with roughly two billion weekly downloads. The event demonstrated how a single identity lapse can cascade globally through the web stack.

The September campaign injected malicious code into popular packages such as chalk, debug, and ansi-regex. The payload intercepted browser APIs like fetch and wallet provider calls to replace cryptocurrency transaction destinations, targeting end users of sites shipping these libraries. The attacker also leveraged another compromised maintainer to propagate the same wallet-drainer logic through additional projects such as duckdb, highlighting the fragility of NPM’s trust model when multiple privileged accounts are abused.

In the same timeframe, “nodejs-smtp” appeared as a malicious impersonation of Nodemailer. Though it logged only a few hundred downloads, its sophistication was notable: on import, it unpacked desktop wallets, patched vendor bundles, and deployed a cryptocurrency clipper while still functioning as a working mailer. The ability to remain operational while embedding theft routines exemplifies a dangerous class of stealth packages designed to blend in with legitimate developer tooling.

Another September case involved four counterfeit Flashbots-related libraries published by an attacker under “flashbotts.” These packages selectively exfiltrated keys, environment variables, and mnemonics via Telegram or SMTP channels, while retaining partial compatibility with genuine Flashbots APIs. The actor, assessed as financially motivated and Vietnamese-speaking, concealed the theft logic within specific functions to evade static analysis. Such brand impersonation campaigns exploit the trust developers place in well-known ecosystem projects.

In August, researchers documented a hybrid campaign blending Go and NPM ecosystems. Eleven Go modules delivered shell-spawned payloads for Windows and Linux, while NPM libraries posed as WhatsApp socket tools and contained a destructive phone-number–gated kill switch that recursively deleted files. Although download counts were small, the attack demonstrated continued adversary interest in destructive capability and persistence inside developer and CI/CD environments.

Earlier in May, adversaries focused on the macOS version of the Cursor AI IDE using three rogue NPM packages. These harvested IDE credentials, disabled auto-updates, killed active processes, and hot-patched Cursor’s main.js, establishing persistence even if the dependencies were later removed. Alongside this, a legitimate package (“rand-user-agent”) was hijacked through a leaked automation token, with attackers publishing unauthorized versions that opened command-and-control channels and executed shell commands, reinforcing the importance of securing CI/CD credentials.

Across these incidents, shared attacker techniques emerged: phishing maintainers to defeat 2FA, brandjacking through typo-squatting and impersonations, delivering payloads at install or import time with post-install scripts, embedding malicious logic inside functional packages, and focusing on crypto-centric value theft. Several campaigns specifically targeted developer systems and build pipelines, increasing the risk of hidden persistence that could contaminate downstream artifacts long after the malicious dependency is removed.

The broader exposure was twofold: browser-side interceptors widened the impact to unsuspecting end users, while developer workstation compromises bled into signed software releases and testing environments. Both dynamics transform dependency management into a frontline security decision. The inability to fully trace or remediate local rewrites after removal complicates incident response and raises the likelihood of enduring compromise in development ecosystems.

For leaders, the strategic lesson is to treat NPM dependencies as an externally exposed attack surface. Protect maintainer and automation accounts with hardware-based MFA and scoped tokens, enforce pinning and provenance verification, disable post-install scripts in production, and monitor for anomalous runtime behavior. Just as importantly, rehearse dependency breach playbooks with SBOM-driven impact analysis and rollback capabilities. The events of 2025 showed that attackers will continue pivoting between ecosystem impersonation, token abuse, and selective exfiltration, making resilience dependent on proactive supply-chain governance.

Why It Matters

Supply chain attacks target the interconnected systems, tools, and third-party components that organizations rely on to operate and innovate. Because modern enterprises depend heavily on external vendors, open-source software, and cloud-based services, a single compromised element can cascade across business units, customers, and partners. Recent incidents have shown how attackers can weaponize trusted relationships—whether through software libraries, service providers, or infrastructure components—to steal credentials, implant malicious code, or gain long-term persistence. The risk is amplified by the fact that these compromises often remain invisible until damage is already widespread, making detection and remediation especially challenging.

For organizations, the stakes are considerable: a successful supply chain attack can undermine customer trust, expose sensitive data, trigger regulatory consequences, and disrupt critical operations with little to no warning. Unlike traditional vulnerabilities, which can often be mitigated with patches or updates, supply chain compromises exploit the very trust organizations place in their dependencies, giving adversaries scale and reach that outpace normal defenses. To remain resilient, leaders must treat supply chain security as a core strategic priority, ensuring that governance, monitoring, and response capabilities extend beyond the enterprise perimeter to the broader ecosystem of vendors, partners, and technologies on which the business depends.

How to Respond

• Strictly adhere to Cybersecurity Fundamentals and ensure all personnel undergo annual phishing and social engineering training. Speak with your UltraViolet Cyber TAM Representative to schedule a live phishing engagement.
• Speak with your UltraViolet TAM Representative to review and select Static Application Security Testing (SAST) capabilities that fit your organization's development team's need to protect against supply chain attacks.
• Perform ongoing software dependency reviews as part of your CI/CD pipeline, a great starting place is the “Github Dependabot” service.
• Perform annual tech refresh reviews to gain a holistic understanding of your infrastructure. Speak with your UltraViolet TAM Representative to schedule a RedTeam or PurpleTeam engagement to gain insight into the vulnerabilities in your environment.

What UltraViolet Cyber is Doing

• UltraViolet TIDE Team and MDR/SOC work closely together and share information that can assist in the detection of malicious development patterns or malicious packages being imported.
• Partnering with open and closed source developer communities to stay updated on malicious packages.
• Parsing available victim dump data for any social, financial, business, or technical relations to UVCyber Clients and partner organizations.
• Aggregating threat intelligence from myriad sources and applying the most up-to-date knowledge to proactive threat hunting and response.