Malicious bundle.js Script Steals Developer Credentials from 40+ npm Packages

A significant security breach has recently affected the npm ecosystem, compromising over 40 packages maintained by various developers. The attack involved the injection of a malicious script named bundle.js into these packages, enabling unauthorized access to sensitive credentials.

The compromised packages were updated with a function called NpmModule.updatePackage. This function downloads the package’s tarball, modifies its package.json file, injects the bundle.js script, repacks the archive, and republishes it. This process effectively trojanizes downstream packages, allowing the malicious code to spread across the ecosystem.

The injected bundle.js script is designed to download and execute TruffleHog, a legitimate secret scanning tool. Once executed, TruffleHog scans the host environment for various tokens and cloud credentials, including GITHUB_TOKEN, NPM_TOKEN, AWS_ACCESS_KEY_ID, and AWS_SECRET_ACCESS_KEY. Any discovered credentials are then sent to an attacker-controlled server.

Among the affected packages is the popular @ctrl/tinycolor, which receives over 2 million weekly downloads. This package, along with others, has been compromised as part of the broader supply chain attack.

The attackers gained access to the maintainer accounts through a phishing attack, which led to a two-factor authentication (2FA) reset. This allowed them to publish malicious updates to the affected packages within a short timeframe.

Even if your project doesn’t directly use the compromised packages, many projects depend on npm modules transitively. A stolen GitHub or npm token can let attackers publish more malicious packages, access private repositories, or pivot into cloud accounts, creating a chain reaction risk across many organizations.

Immediate steps developers should take include auditing their dependencies for any recent updates to the affected packages, rotating any exposed credentials, reviewing access logs for unusual activity, updating packages to their latest secure versions, and implementing regular secret scanning in their development processes.

Security teams and vendors have been rapidly analyzing payloads, publishing indicators of compromise (IoCs), and coordinating with npm to remove malicious package versions and notify maintainers. Several security companies have released detailed technical writeups that explain the payload and the command-and-control endpoints used by the attackers.

This incident underscores the importance of securing the software supply chain. Developers should remain vigilant and adopt best practices to protect their projects from such attacks.

Stay alert, and keep your security measures updated!

Source: Follow cybersecurity88 on X and LinkedIn for the latest cybersecurity news