Security researchers at Sonatype have uncovered a sophisticated supply chain attack targeting multiple popular npm packages, some of which have been fundamental to the JavaScript ecosystem for nearly a decade. The attack specifically targeted ten packages primarily used in cryptocurrency operations, implementing malicious code designed to steal sensitive developer credentials and confidential data. According to npm’s package registry, several of the compromised packages had millions of cumulative downloads.
Critical Impact on Widely-Used Packages
The most significant compromise affects the country-currency-map package, which averages thousands of weekly downloads. The attackers injected malicious code through two obfuscated scripts: /scripts/launch.js and /scripts/diagnostic-report.js, which execute automatically during package installation. These scripts are programmed to exfiltrate sensitive information, including environment variables, API keys, access tokens, and SSH keys, transmitting them to attacker-controlled servers.
Attack Vector Analysis and Compromise Method
Sonatype’s investigation reveals that the attackers likely employed credential stuffing attacks to gain unauthorized access to multiple developer accounts. This technique leverages previously leaked username-password combinations from other data breaches to compromise accounts. The simultaneous compromise of multiple packages from different developers, coupled with the absence of GitHub repository breach indicators, strongly supports this hypothesis. Supply chain threats of this type are documented by MITRE ATT&CK under technique T1195.002 (Compromise Software Supply Chain).
Node.js Projects with Malicious npm Packages in Their Dependency Tree
This attack primarily targets developers and organizations building cryptocurrency applications, DeFi tooling, or any JavaScript projects that depend on the compromised packages. CI/CD pipelines that run npm install automatically are at elevated risk because malicious scripts execute at install time without explicit user action. Any developer who installed the affected versions between the compromise window and the deprecation notice may have had credentials stolen.
Security Implications and Detection
The attack demonstrates sophisticated evasion techniques, with malicious code carefully obfuscated to avoid detection by automated security tools. The compromised packages primarily target developers working with cryptocurrency applications, suggesting a focused attempt to access high-value digital assets and sensitive financial infrastructure. Security scanning tools such as Snyk’s package record for country-currency-map can help identify compromised dependencies in existing projects.
What Developers Should Do Now
- Immediately audit your
package.jsonandpackage-lock.jsonfor any of the ten affected packages and remove or downgrade them (e.g., country-currency-map: downgrade to 2.1.7). - Rotate all secrets — API keys, access tokens, SSH keys, and environment variables — that existed on any machine where the compromised packages were installed.
- Enable npm two-factor authentication on all publisher accounts and enforce it across your organization’s npm teams.
- Integrate a software composition analysis (SCA) tool into your CI/CD pipeline to flag new malicious packages before they reach production.
- Review your npm audit logs and system logs for evidence of outbound connections to unknown hosts during the affected time window.
Current Status and Mitigation Steps
While npm implemented mandatory two-factor authentication for popular packages in 2022, most of the compromised packages remained accessible with their malicious code intact for a period after discovery. The developer of country-currency-map took swift action by deprecating the compromised version 2.1.8 and recommending users downgrade to the secure version 2.1.7. This incident is a concrete example that even long-established, trusted packages can become vectors for sophisticated supply chain attacks — a pattern also tracked by OWASP’s Software and Data Integrity Failures (formerly A8 in the Top 10).
