Techly NewsGet the app

Get the latest tech news

Software packages with more than 2 billion weekly downloads hit in supply-chain attack


Incident hitting npm users is likely the biggest supply-chain attack ever.

Around the same time, Josh Junon, a maintainer or co-maintainer of the affected packages, said he had been “pwned” after falling for an email that claimed his account on the platform would be closed unless he logged into a site and updated his two-factor authentication credentials. Within an hour’s time, dozens of open source packages Junon oversees had received updates that added malicious code for transferring cryptocurrency payments to attacker-controlled wallets. It said Junon’s account would be closed unless he updated information related to his 2FA—which requires users to present a physical security key or supply a one-time passcode provided by an authenticator app in addition to a password when logging in.

Get the Android app

Or read this on ArsTechnica

Read more on:

Photo of chain attack

chain attack

Photo of weekly downloads

weekly downloads

Photo of Software packages

Software packages

Related news:

News photo

Hackers Hijack npm Packages With 2 Billion Weekly Downloads in Supply Chain Attack

News photo

Hackers hijack npm packages with 2 billion weekly downloads in supply chain attack

News photo

Nx NPM packages poisoned in AI-assisted supply chain attack - Stolen dev credentials posted to GitHub as attackers abuse CLI tools for recon

« Apple is playing a dangerous game with the iPhone 17 - and it might just pay off
Citrix products sold under old licenses will get glitchy unless users upgrade »