In response to evaluation by SafeDep, the account in query, atool (i@hust.cc), which publishes the timeago.js JavaScript library, had rights to a big catalog of packages, together with in style instruments similar to size-sensor (4.2 million downloads per 30 days), echarts-for-react (3.8 million), @antv/scale (2.2 million), and timeago.js (1.15 million).
This privilege degree allowed the attacker to publish no less than 637 malicious variations throughout 317 totally different npm packages in a single 22-minute burst. This resulted within the compromise of an enormous chunk of Alibaba’s AntV namespace, a rising platform throughout Asia, the US, and Europe used to construct dashboards, person interfaces, and interactive purposes.
Assaults on the npm provide chain this 12 months plot a difficult pattern, stated Aikido Safety in its evaluation. “That is the third main wave we now have tracked. It went from a handful of SAP packages in April, to 169 packages within the TanStack wave, to a a lot bigger set of packages now. Every wave has been sooner and broader than the final.”
“Right here We Go Once more”
Anybody unfortunate sufficient to be contaminated by one of many malicious packages will discover themselves on the receiving finish of the potent Mini-Shai-Hulud worm, the supply code for which was lately briefly launched to different criminals on GitHub.
