Malicious npm Code Reached 10% of Cloud Environments

During the short two-hour timeframe in which the versions were available for download, if they were incorporated into frontend builds and shipped as web assets, any browsers loading the affected website would execute a malicious payload that hooks network and wallet APIs in order to silently rewrite cryptocurrency recipients/approvals before signing, so that transactions would be diverted to attacker-controlled wallets. Following the release of the malicious versions, our data shows that the malicious code itself could be found in at least 10% of cloud environments, present in bundles or assets. After the initial batch of infected packages, we identified a few more compromised accounts, including duckdb, which indicates that the campaign is still active. Malicious packages included @duckdb/node-api@1.3.3, @duckdb/duckdb-wasm@1.29.2, @duckdb/node-bindings@1.3.3, and duckdb@1.3.3.

For the full article, visit: Infosecurity Magazine.