In accordance with evaluation by SafeDep, the account in query, atool (i@hust.cc), which publishes the timeago.js JavaScript library, had rights to a big catalog of packages, together with in style instruments corresponding to size-sensor (4.2 million downloads per 30 days), echarts-for-react (3.8 million), @antv/scale (2.2 million), and timeago.js (1.15 million).
This privilege stage allowed the attacker to publish a minimum of 637 malicious variations throughout 317 completely different npm packages in a single 22-minute burst. This resulted within the compromise of an enormous chunk of Alibaba’s AntV namespace, a rising platform throughout Asia, the US, and Europe used to construct dashboards, consumer interfaces, and interactive functions.
Attacks on the npm provide chain this yr plot a difficult pattern, mentioned Aikido Safety in its evaluation. “That is the third main wave we’ve got tracked. It went from a handful of SAP packages in April, to 169 packages within the TanStack wave, to a a lot bigger set of packages now. Every wave has been quicker and broader than the final.”
“Right here We Go Once more”
Anybody unfortunate sufficient to be contaminated by one of many malicious packages will discover themselves on the receiving finish of the potent Mini-Shai-Hulud worm, the supply code for which was lately briefly launched to different criminals on GitHub.
