Supply-chain attack via maintainer account takeover
NPM packages have been targeted in maintainer account takeover attacks. Attackers have deployed an automatic credential scanning tool. The scanning tool tries to find secret keys that may have been published to public systems like build automation and continuous integration (CI) systems and sends such credentials back to the attacker. From there, the vulnerable NPM packages are downloaded, modified to insert a trojan-like script bundle, and then republished. These maliciously modified packages can then be used to exploit any application that has installed these packages.
Coverage and advice on remediation:
- The Hacker News - 40 NPM Packages Compromised
- Socket.dev - Supply Chain Attack
- Aikido - S1ngularity/nx attackers strike again
- Aikido - npm debug and chalk packages compromised
- Wiz.io - Shai-Halud npm supply chain attack
While this attack has targeted NPM packages, the same strategy could be used to exploit other packages as well.
Managing supply-chain security
Website owners should actively manage their dependencies, potentially leveraging a Software Bill of Materials (SBOM) or scanner services. Other relevant tools include CSP and SRI.
It is the policy of the Drupal Security Team that site owners are responsible for monitoring and maintaining the security of third-party libraries and any non-Drupal components of the stack. In rare cases, the Drupal Security Team will post an informational public service announcement (PSA) such as this one, but the remit of the Drupal Security Team remains limited to code hosted on Drupal.org’s systems. Previous PSAs on third-party code in the Drupal ecosystem include:
- External libraries and plugins - PSA-2011-002
- Various Third-Party Vulnerabilities - PSA-2019-09-04
- Third-Party Libraries and Supply Chains - PSA-2024-06-26
Impact to the Drupal project itself
Drupal's infrastructure maintainers, the Drupal Security Team, and Drupal core maintainers have received tips about this situation from several sources. Individuals in those groups have evaluated their exposure and we believe the Drupal project itself is not affected by this issue. If you have information about concerns that Drupal is affected please reach out to us.
This post is likely to be be updated as the situation evolves and more information is available.
Reported By: Coordinated By:- Greg Knaddison (greggles) of the Drupal Security Team
- Tim Hestenes Lehnen (hestenet)
- Dave Long (longwave) of the Drupal Security Team
- Drew Webber (mcdruid) of the Drupal Security Team
- Jess (xjm) of the Drupal Security Team
- cilefen of the Drupal Security Team