A large-scale npm frontend supply chain attack has recently been identified, where attackers compromised the npm account of a well-known developer (qix) via phishing. They then published malicious versions of popular JavaScript packages (such as chalk and debug), embedding malicious code.
This code hijacks native objects like Fetch, XHR, and window.ethereum at runtime. It scans network responses and parameters for address strings and replaces the victim’s address with the “closest” matching address from a built-in list of malicious addresses. The attack impacts assets on major chains, including ETH, BTC (legacy/segwit), TRON, LTC, BCH, and SOL.
What is a Supply Chain Attack?
A supply chain attack is a cyberattack where adversaries infiltrate an organization by targeting less secure elements in its supply network. Rather than attacking the target directly, they compromise a trusted third-party vendor, partner, or software provider. By embedding malicious code or components into products or services, attackers can exploit the trust between the supplier and the end user to compromise the final target system.
Key Attack Methods in This Incident
- Email Phishing: The developer was tricked into performing a 2FA reset, allowing attackers to seize control of their npm account.
- Publishing Malicious Packages: New, malicious versions were published for dozens of widely-depended-on packages.
- Transaction Address Tampering: During frontend execution, the malicious code actively scans for potential transaction addresses and replaces them with addresses controlled by the attacker.
Best Practices for Frontend Supply Chain Security
- Version Pinning and Controlled Installation: Use npm ci to install dependencies based on the package-lock.json file, eliminating the risks associated with floating versions.
- Strict Vetting of External Dependencies: Establish clear criteria for dependency admission, including project star count, maintenance activity, and minimal functional scope. All dependency upgrades must undergo rigorous security assessments and scans.
- Internal Dependency Caching and Regular Audits: Implement an internal caching proxy for dependencies. Regularly scan both new and existing dependencies to promptly identify abnormal or high-risk versions.
- Rapid Response to Security Intelligence: Monitor multiple security intelligence channels (community forums, vendor bulletins, vulnerability databases) to receive attack updates in real-time and conduct emergency assessments of internal projects.
A Serious Reminder for All Web3 Users
Although this attack was short-lived, its potential impact is vast, theoretically affecting any website running in a web browser. There is currently no foolproof technical method to determine if a specific site is safe.
Therefore, the Safeheron team solemnly reminds our clients and all Web3 users:
- Always exercise extreme caution with on-chain transactions. Cross-verify transaction addresses through multiple trusted channels before signing.
- Contact your service providers directly to confirm the scope of impact and their security status.
https://safeheron.com/blog/supply-chain-attack-targets-frontend-ecosystem
Leave a Reply