Last week Checkmarx Security detailed the attack that led to a temporary Denial of Service (DoS) on the Node.js package repository npm in March. Threat actors uploaded hundreds of thousands of fake packages in a type of SEO-poisoning attack that relies on the reputation of package managers to place the bogus packages at the top of search results. The packages are empty, only containing a README with further instructions for infection. The sheer number of packages uploaded caused a DoS, nearly doubling the number of package updates that npm normally sees. The follow-on payloads consisted of information stealers, cryptocurrency miners, and malware loaders, as well as a referral scam using AliExpress and a crypt scam using a Russian-language Telegram channel.
Companies have several options for protecting against these types of supply chain attacks. If roles have been effectively assigned, a web proxy could limit access to repositories to just developers and administrators, reducing the attack surface. Additionally, keeping detection and response software (EDR, MDR, XDR, etc.) up-to-date will help catch malware that has been previously identified or performs suspicious or unusual actions.