40 npm Packages Compromised in Supply Chain Attack Using bundle.js to Steal Credentials
研究人员发现针对npm registry的软件供应链攻击,影响40多个包。恶意脚本bundle.js被注入到受感染包中,用于扫描开发者机器上的敏感信息(如GitHub令牌、NPM令牌、AWS密钥)并将其传输到攻击者控制的服务器。该攻击还可利用GitHub Actions在存储库中创建持久化工作流以持续窃取数据。同时,Rust生态系统也遭遇钓鱼邮件攻击,模仿crates.io诱导用户泄露GitHub凭证。 2025-9-16 05:0:0 Author: thehackernews.com(查看原文) 阅读量:17 收藏

Cybersecurity researchers have flagged a fresh software supply chain attack targeting the npm registry that has affected more than 40 packages that belong to multiple maintainers.

"The compromised versions include a function (NpmModule.updatePackage) that downloads a package tarball, modifies package.json, injects a local script (bundle.js), repacks the archive, and republishes it, enabling automatic trojanization of downstream packages," supply chain security company Socket said.

The end goal of the campaign is to search developer machines for secrets using TruffleHog's credential scanner and transmit them to an external server under the attacker's control. The attack is capable of targeting both Windows and Linux systems.

Audit and Beyond

The following packages have been identified as impacted by the incident -

The malicious JavaScript code ("bundle.js") injected into each of the trojanized package is designed to download and run TruffleHog, a legitimate secret scanning tool, using it to scan the host for tokens and cloud credentials, such as GITHUB_TOKEN, NPM_TOKEN, AWS_ACCESS_KEY_ID, and AWS_SECRET_ACCESS_KEY.

"It validates npm tokens with the whoami endpoint, and it interacts with GitHub APIs when a token is available," Socket said. "It also attempts cloud metadata discovery that can leak short-lived credentials inside cloud build agents."

The script then abuses the developer's credentials (i.e., the GitHub personal access tokens) to create a GitHub Actions workflow in .github/workflows, and exfiltrates the collected data to a webhook[.]site endpoint.

Developers are advised to audit their environments and rotate npm tokens and other exposed secrets if the aforementioned packages are present with publishing credentials.

"The workflow that it writes to repositories persists beyond the initial host," the company noted. "Once committed, any future CI run can trigger the exfiltration step from within the pipeline where sensitive secrets and artifacts are available by design."

crates.io Phishing Campaign

The disclosure comes as the Rust Security Response Working Group is warning of phishing emails from a typosquatted domain, rustfoundation[.]dev, targeting crates.io users.

CIS Build Kits

The messages, which originate from security@rustfoundation[.]dev, warn recipients of an alleged compromise of the crates.io infrastructure and instruct them to click on an embedded link to rotate their login information so as to "ensure that the attacker cannot modify any packages published by you."

The rogue link, github.rustfoundation[.]dev, mimics a GitHub login page, indicating a clear attempt on the part of the attackers to capture victims' credentials. The phishing page is currently inaccessible.

"These emails are malicious and come from a domain name not controlled by the Rust Foundation (nor the Rust Project), seemingly with the purpose of stealing your GitHub credentials," the Rust Security Response WG said. "We have no evidence of a compromise of the crates.io infrastructure."

The Rust team also said they are taking steps to monitor any suspicious activity on crates.io, in addition to getting the phishing domain taken down.

Found this article interesting? Follow us on Google News, Twitter and LinkedIn to read more exclusive content we post.


文章来源: https://thehackernews.com/2025/09/40-npm-packages-compromised-in-supply.html
如有侵权请联系:admin#unsafe.sh