{"id":50305,"date":"2025-12-04T21:40:41","date_gmt":"2025-12-05T02:40:41","guid":{"rendered":"https:\/\/mjtsai.com\/blog\/?p=50305"},"modified":"2025-12-04T21:42:43","modified_gmt":"2025-12-05T02:42:43","slug":"npm-supply-chain-attack","status":"publish","type":"post","link":"https:\/\/mjtsai.com\/blog\/2025\/12\/04\/npm-supply-chain-attack\/","title":{"rendered":"NPM Supply Chain Attack"},"content":{"rendered":"<p><a href=\"https:\/\/about.gitlab.com\/blog\/gitlab-discovers-widespread-npm-supply-chain-attack\/\">GitLab<\/a> (via <a href=\"https:\/\/news.ycombinator.com\/item?id=46070203\">Hacker News<\/a>):<\/p>\n<blockquote cite=\"https:\/\/about.gitlab.com\/blog\/gitlab-discovers-widespread-npm-supply-chain-attack\/\"><p>Our internal monitoring system has uncovered multiple infected packages containing what appears to be an evolved version of the &ldquo;<a href=\"https:\/\/www.cisa.gov\/news-events\/alerts\/2025\/09\/23\/widespread-supply-chain-compromise-impacting-npm-ecosystem\">Shai-Hulud<\/a>&rdquo; malware.<\/p><p>Early analysis shows worm-like propagation behavior that automatically infects additional packages maintained by impacted developers. Most critically, we&rsquo;ve discovered the malware contains a &ldquo;<strong>dead man&rsquo;s switch<\/strong>&rdquo; mechanism that threatens to destroy user data if its propagation and exfiltration channels are severed.<\/p><p>[&#8230;]<\/p><p>The malware infiltrates systems through a carefully crafted multi-stage loading process. Infected packages contain a modified <code>package.json<\/code> with a preinstall script pointing to <code>setup_bun.js<\/code>. This loader script appears innocuous, claiming to install the Bun JavaScript runtime, which is a legitimate tool. However, its true purpose is to establish the malware&rsquo;s execution environment.<\/p><\/blockquote>\n\n<p>Previously:<\/p>\n<ul>\n<li><a href=\"https:\/\/mjtsai.com\/blog\/2025\/12\/02\/anthropic-acquires-bun\/\">Anthropic Acquires Bun<\/a><\/li>\n<li><a href=\"https:\/\/mjtsai.com\/blog\/2022\/03\/21\/npm-packages-sabotaged\/\">NPM Packages Sabotaged<\/a><\/li>\n<li><a href=\"https:\/\/mjtsai.com\/blog\/2016\/03\/23\/how-one-developer-broke-node-babel-and-thousands-of-projects\/\">How One Developer Broke Node, Babel, and Thousands of Projects<\/a><\/li>\n<li><a href=\"https:\/\/mjtsai.com\/blog\/2021\/11\/24\/githubs-commitment-to-npm-ecosystem-security\/\">GitHub&rsquo;s Commitment to npm Ecosystem Security<\/a><\/li>\n<\/ul>","protected":false},"excerpt":{"rendered":"<p>GitLab (via Hacker News): Our internal monitoring system has uncovered multiple infected packages containing what appears to be an evolved version of the &ldquo;Shai-Hulud&rdquo; malware.Early analysis shows worm-like propagation behavior that automatically infects additional packages maintained by impacted developers. Most critically, we&rsquo;ve discovered the malware contains a &ldquo;dead man&rsquo;s switch&rdquo; mechanism that threatens to destroy [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"apple_news_api_created_at":"2025-12-05T02:40:45Z","apple_news_api_id":"be68c705-6c9f-4e6b-889c-6e5b784639a3","apple_news_api_modified_at":"2025-12-05T02:42:46Z","apple_news_api_revision":"AAAAAAAAAAAAAAAAAAAAAA==","apple_news_api_share_url":"https:\/\/apple.news\/AvmjHBWyfTmuInG5beEY5ow","apple_news_coverimage":0,"apple_news_coverimage_caption":"","apple_news_is_hidden":false,"apple_news_is_paid":false,"apple_news_is_preview":false,"apple_news_is_sponsored":false,"apple_news_maturity_rating":"","apple_news_metadata":"\"\"","apple_news_pullquote":"","apple_news_pullquote_position":"","apple_news_slug":"","apple_news_sections":"\"\"","apple_news_suppress_video_url":false,"apple_news_use_image_component":false,"footnotes":""},"categories":[4],"tags":[2858,2252,346,504,1136,991,71,48],"class_list":["post-50305","post","type-post","status-publish","format-standard","hentry","category-programming-category","tag-bun","tag-gitlab","tag-javascript","tag-malware","tag-node-js","tag-open-source-software","tag-programming","tag-security"],"apple_news_notices":[],"_links":{"self":[{"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/posts\/50305","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/comments?post=50305"}],"version-history":[{"count":2,"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/posts\/50305\/revisions"}],"predecessor-version":[{"id":50313,"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/posts\/50305\/revisions\/50313"}],"wp:attachment":[{"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/media?parent=50305"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/categories?post=50305"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/tags?post=50305"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}