Open source repositories are seeing a rash of supply-chain attacks

In a troubling trend, the past week has witnessed a significant uptick in supply-chain attacks aimed at open source software housed in public repositories. These assaults have successfully compromised several developer accounts, leading to the distribution of harmful packages to unsuspecting users. The latest incident, as reported by cybersecurity firm Socket, involved malicious JavaScript code found on the npm repository. A total of 10 infected packages linked to the global talent agency Toptal were downloaded by around 5,000 users before the attack was identified and the packages removed. This incident marks the third supply-chain attack that Socket has detected on npm within just one week. The attackers gained access by breaching Toptal’s GitHub Organization and subsequently leveraged that access to upload malicious packages on npm. Researchers are still piecing together the exact mechanics of the attack, particularly the connection between the changes made in the GitHub repository and the package publications on npm. According to Socket, the npm package publishing likely occurred through GitHub Actions or stored npm tokens, which became vulnerable after the GitHub Organization was compromised. The integration between GitHub and npm in development workflows facilitates the publishing of npm packages once a GitHub organization is hijacked. Socket researchers noted that the attack could have stemmed from compromised GitHub access that allowed for both repository alterations and npm package publishing, or from distinct weaknesses that impacted both platforms separately. They emphasized that without further forensic analysis, deciphering the exact interplay and timeline of these events remains a complex challenge.