Tag: malware

The npm Supply Chain Attack

May 13, 2026

Opening: A Story You Already Know

Imagine your favourite bottled water brand — trusted, widely distributed, consumed daily by millions. Now imagine a criminal gains access to the bottling factory and injects a contaminant into a single production run. The bottles look identical. The labels are correct. But the contents are poisoned.

This is not a hypothetical food safety scenario. On May 11, 2026, this exact playbook was executed in the digital world — and the consequences rippled across thousands of software development teams globally.

The target? npm — the world’s largest public software library. The method? A coordinated supply chain attack. The victims? Companies including TanStack, Mistral AI, UiPath, and OpenSearch — names that sit at the heart of modern software development and artificial intelligence.

This blog post unpacks what happened, why it matters, and what every professional — technical or not — needs to understand and do about it.

What is npm? (For the Non-Technical Reader)

Before we dive into the attack, let’s understand the battlefield.

When software developers build applications — whether a banking app, a hospital system, or an AI chatbot — they don’t write every single piece of code from scratch. Instead, they use pre-built, ready-made code components called packages, downloaded from a shared online library.

npm (Node Package Manager) is the world’s largest such library — a public repository hosting over 2 million packages, freely available to anyone. Think of it as a massive, open hardware store where developers pick up ready-made components to build their software faster.

The key word here is public. Anyone can create a free account and publish packages. Anyone can download them without even logging in. This openness is npm’s greatest strength — and, as this attack demonstrates, its most dangerous vulnerability.

🔑 Key Point — The Public Repository Risk: Public software repositories operate on a trust model. Developers assume that packages published under a known, reputable name are safe. Attackers exploit this trust by compromising publishing credentials and inserting malicious code into packages that developers already rely on.

What Happened? The Attack Explained Simply

On the night of May 11, 2026, a security company called SafeDep detected something unusual: a sudden burst of new software package versions being published to npm — over 401 versions across 170 packages, all within a five-hour window.

This was no ordinary update cycle. It was a coordinated attack.

Here is what the attacker did, step by step:

  1. Obtained publishing credentials — The attacker gained the “master keys” to publish new versions of legitimate, trusted packages. This was likely achieved through phishing, credential theft, or compromising a developer’s account or device.
  2. Published poisoned versions — New, slightly higher version numbers were released for popular packages. To a developer checking for updates, these looked completely legitimate.
  3. Hidden trap activated — Inside these new versions, the attacker had replaced normal build scripts with a hidden instruction: the moment a developer installed the package, malicious code would automatically run in the background — silently, without any warning.
  4. Credentials stolen — The malicious code immediately began searching for and stealing sensitive access keys: cloud server credentials, GitHub tokens, and software publishing passwords.
  5. Self-propagation — Using those stolen credentials, the attacker then planted more malicious code into the victims’ own code repositories — meaning the next developer who downloaded the project would also be infected.

🔑 Key Point — The Preinstall Hook Exploit: npm allows packages to run scripts automatically during installation — a legitimate feature used for setup tasks. In this attack, the entire legitimate content was replaced with a single malicious “preinstall” hook. This is an abuse of a trusted, built-in feature — making detection harder because the mechanism itself is normal.

Who Was Affected?

The scale and selection of targets is what makes this attack remarkable. The attacker did not cherry-pick one or two packages — they went after entire families of packages at once:

Company / ProjectPackages HitScale
TanStackReact Router, Vue Router, Solid Router, Dev Tools42 packages, 84 versions
Mistral AICore SDK, Azure integration, GCP integration3 packages, 9 versions
UiPathEntire automation platform scope65 packages, 65 versions
OpenSearchJavaScript client1 package, 1 version
Otherssquawk, tallyui, beproduct, draftauth, and more59+ packages

TanStack Router alone has over 3 million weekly downloads. The potential blast radius of this attack — had it gone undetected longer — was enormous.

🔑 Key Point — Blast Radius: In security, “blast radius” refers to how far damage can spread from a single compromised point. Supply chain attacks have an exceptionally large blast radius because one poisoned package can infect thousands of downstream applications and organisations that rely on it.

What Did the Malicious Code Actually Do?

For the more technical reader, here is a breakdown of the payload’s capabilities — and they are sophisticated.

4.1 Credential Harvesting

The malicious code contained a modular credential-stealing framework with dedicated modules targeting:

  • AWS cloud credentials — Access keys, secret keys, and even instance credentials from AWS’s internal metadata service
  • GitHub tokens — Personal access tokens, OAuth tokens, GitHub App installation tokens, and GitHub Actions workflow tokens
  • npm publish tokens — Giving the attacker the ability to publish further poisoned packages under more identities
  • HashiCorp Vault tokens — Used by enterprises to store sensitive secrets and passwords

🔑 Key Point — Credential Chaining: Notice the logic here. By stealing npm publish tokens, the attacker can create more poisoned packages. By stealing GitHub tokens, they can inject malicious code into more repositories. By stealing AWS keys, they can access cloud infrastructure. Each stolen credential opens another door. This is called lateral movement in cybersecurity — moving from one compromised system to deeper, more sensitive ones.

4.2 Exfiltration via Session Protocol — Hiding in Plain Sight

Most malware sends stolen data to a command-and-control server — a fixed address that security teams can detect and block. This attacker was smarter.

They used the Session messaging app — an encrypted, decentralised messenger — to send stolen credentials. Because Session uses a network of distributed nodes (similar in concept to how Tor works), there is no single server to block or take down. The stolen data was routed through the network invisibly.

🔑 Key Point — Decentralised Exfiltration: Traditional security monitoring looks for suspicious connections to known bad IP addresses. When attackers use decentralised, encrypted messaging networks, they bypass this detection method entirely. This represents an evolution in attack sophistication that demands equally evolved detection strategies.

4.3 IDE and AI Agent Poisoning — The Most Alarming Part

Perhaps the most innovative — and alarming — aspect of this attack was its targeting of developer tools directly:

  • Claude Code (Anthropic’s AI coding assistant) configuration files were replaced with malicious versions
  • VS Code task runner configurations were poisoned

By committing these malicious configuration files into victims’ code repositories via GitHub, the attacker ensured that other developers who later cloned or downloaded the project would also have their tools hijacked — creating a self-spreading mechanism.

🔑 Key Point — AI Tool Attack Surface: As AI coding assistants become standard in developer workflows, they introduce a new attack surface. Malicious actors who can inject instructions into AI agent configuration files can effectively redirect what the AI does on a developer’s machine — silently executing attacker-controlled code under the guise of normal AI assistance. This is an emerging and rapidly growing threat vector.

Why Did This Happen? — The Root Causes

This attack did not happen because of some exotic, impossible-to-prevent vulnerability. It happened because of well-known, preventable security gaps.

Root Cause 1: Weak or Absent Multi-Factor Authentication (MFA)

Publishing credentials were obtained by the attacker. Had the accounts required a second form of authentication — a phone confirmation, a hardware key — stolen passwords alone would not have been enough. npm does offer MFA. It was either not enabled or not enforced.

Root Cause 2: No Cryptographic Package Signing

When you download a package from npm, you are trusting that it came from who it says it came from. Cryptographic signing would allow npm to mathematically verify this. Without it, anyone with valid credentials can publish anything under any name.

Root Cause 3: Automated, Unverified Updates

Many development pipelines automatically pull the latest package versions. Speed and convenience are prioritised over verification. When a poisoned version appears, it gets pulled in automatically before anyone notices.

Root Cause 4: Excessive Implicit Trust in Public Repositories

The entire ecosystem operates on trust. Popular packages are assumed safe. This cultural assumption, without technical enforcement, is a systemic vulnerability.

🔑 Key Point — Zero Trust Applies Here Too: The Zero Trust security principle — “never trust, always verify” — applies not just to network access but to software supply chains. Just because a package has millions of downloads and a reputable name does not mean the version you are installing today is safe.

What Should Organisations Do? — Controls and Recommendations

Immediate Actions

  1. Audit your project lockfiles for any of the 170 compromised packages and their affected version numbers (full list available at safedep.io)
  2. Rotate all potentially exposed credentials immediately — AWS keys, GitHub tokens, npm tokens
  3. Scan codebases for unexpected files in .claude/ and .vscode/ directories

Technical Controls

  • Enable MFA on all npm, GitHub, and cloud provider accounts
  • Use hardware security keys (FIDO2/WebAuthn) for publishing accounts
  • Implement dependency pinning — lock packages to specific verified versions rather than accepting automatic updates
  • Deploy software composition analysis (SCA) tools to continuously monitor for known malicious packages
  • Use package manager proxies that block known malicious packages before they reach developer machines

Administrative Controls

  • Establish a formal Software Supply Chain Security Policy
  • Enforce least-privilege on who can publish packages
  • Conduct regular security awareness training specifically covering supply chain risks
  • Define an incident response procedure specifically for supply chain compromise events
  • Require security review before adopting new third-party packages

Preventative Controls

  • Maintain a vetted, approved list of third-party packages (software bill of materials — SBOM)
  • Subscribe to threat intelligence feeds that track malicious package publications
  • Implement CI/CD pipeline checks that block builds if suspicious package versions are detected
  • Regularly verify the integrity of developer tool configurations (VS Code, AI coding assistants)

Certification Spotlight

This section is specifically for readers preparing for CISSP, CCSP, or AAISM certifications. The concepts in this attack map directly to examination domains.

📘 CISSP — Certified Information Systems Security Professional

This attack touches multiple CISSP domains:

CISSP DomainConcept Illustrated in This Attack
Domain 1 — Security & Risk ManagementThird-party risk management; supply chain risk; risk appetite vs. control implementation
Domain 2 — Asset SecurityCredential management; data classification of publishing tokens and cloud keys
Domain 3 — Security ArchitectureZero Trust architecture; defence in depth; attack surface analysis
Domain 4 — Communication & Network SecurityDecentralised exfiltration via Session protocol; C2 channel evasion techniques
Domain 6 — Security AssessmentSoftware Composition Analysis (SCA); vulnerability scanning of dependencies
Domain 7 — Security OperationsIncident response; credential rotation; IOC (Indicator of Compromise) analysis
Domain 8 — Software Development SecuritySecure SDLC; dependency management; code signing; preinstall hook abuse

🎓 CISSP Exam Note: Supply chain attacks are increasingly tested under Domain 1 (third-party risk) and Domain 8 (secure software development). Understand the concept of a Software Bill of Materials (SBOM) — it is a key control for managing third-party software risk and is referenced in NIST guidelines that CISSP candidates should be familiar with.

☁️ CCSP — Certified Cloud Security Professional

The cloud dimension of this attack is particularly relevant for CCSP candidates:

CCSP DomainConcept Illustrated in This Attack
Domain 1 — Cloud Concepts & ArchitectureShared responsibility model — npm is a cloud-hosted service; who is responsible for security?
Domain 2 — Cloud Data SecurityAWS IAM credential theft; cloud metadata service exploitation (169.254.169.254)
Domain 3 — Cloud Platform SecurityCI/CD pipeline compromise; GitHub Actions token theft; cloud-native attack vectors
Domain 4 — Cloud Application SecuritySecure software supply chain; dependency management in cloud-native development
Domain 6 — Legal & ComplianceBreach notification obligations when cloud credentials are exposed; data sovereignty implications of exfiltration via decentralised networks

🎓 CCSP Exam Note: The exploitation of the AWS metadata endpoint (169.254.169.254) is a well-known cloud attack technique called Instance Metadata Service (IMDS) abuse. CCSP candidates should understand how IMDSv2 (requiring session-oriented requests) mitigates this attack, and why organisations should enforce IMDSv2 on all EC2 instances.

AAISM — Advance in AI Security Management

For AAISM candidates, this incident raises important governance, organisational, and risk management considerations:

AAISM AreaConcept Illustrated
Security Risk ManagementThird-party and supply chain risk as an organisational risk category; likelihood vs. consequence analysis
Organisational SecuritySecurity culture — developers not enabling MFA represents a human and cultural risk, not just a technical one
Security GovernanceBoard and executive notification obligations when a supply chain incident occurs; escalation frameworks
Physical and Personnel SecurityInsider threat considerations — compromised developer credentials blur the line between insider and outsider threat
Incident ManagementDetecting, containing, and recovering from a software supply chain incident; communicating with stakeholders
Business ContinuityImpact of supply chain compromise on business operations; recovery time objectives for affected systems

🎓 AAISM Exam Note: Australian organisations should also consider their obligations under the Privacy Act 1988 and the Notifiable Data Breaches (NDB) scheme if this attack resulted in exposure of personal information. The Australian Cyber Security Centre (ACSC) Essential Eight framework is directly relevant here — particularly controls around application patching, application control, and restricting administrative privileges.

The Bigger Picture — An Escalating Threat

This attack did not happen in isolation. It is part of a clear, escalating trend in 2026:

  • In March 2026, the axios npm package (used in virtually every JavaScript project) was similarly compromised
  • In May 2026, within days of this attack, further npm malware incidents were reported targeting DeFi platforms and Telegram

The pattern is unmistakable: attackers have identified the software supply chain as a high-value, under-defended attack surface. One compromised publishing credential can reach millions of developers instantly. The return on investment for attackers is extraordinarily high.

What is perhaps most alarming about this specific attack is the deliberate targeting of AI coding tools. As artificial intelligence becomes embedded in the software development workflow, it creates a new and largely unexplored attack surface. Poisoning an AI assistant’s configuration is not just an attack on one developer — it is an attack on every piece of code that AI assistant helps write, review, or deploy.

🔑 Key Point — AI as an Attack Vector: We are entering an era where AI systems are not just tools but active participants in software development. Security frameworks, policies, and controls must evolve to account for the integrity of AI agent configurations as a critical security asset — not an afterthought.

Conclusion: Trust Must Be Earned — Not Assumed

The npm supply chain attack of May 2026 is a watershed moment. It demonstrates that the implicit trust the software industry places in public repositories is a systemic vulnerability that attackers are now exploiting at scale, with automation, and with increasing sophistication.

The good news: the tools to prevent this exist. Multi-factor authentication, cryptographic signing, dependency pinning, software composition analysis, and Zero Trust thinking applied to software supply chains can dramatically reduce the risk.

The challenging news: these tools only work if organisations choose to implement them — consistently, completely, and as a cultural commitment rather than a compliance checkbox.

In the words of a fundamental security principle: trust, but verify. In the modern threat landscape, even that is no longer enough. The new standard must be: verify, then trust — and keep verifying.

References and Further Reading

  1. SafeDep — Mass npm Supply Chain Attack Hits TanStack, Mistral AI, and 170+ Packages (May 2026): https://safedep.io/mass-npm-supply-chain-attack-tanstack-mistral
  2. NIST Special Publication 800-161r1 — Cybersecurity Supply Chain Risk Management Practices
  3. CISA — Software Supply Chain Security Guidance
  4. Australian Cyber Security Centre (ACSC) — Essential Eight Maturity Model
  5. ISC2 CISSP Common Body of Knowledge — Domain 8: Software Development Security
  6. CSA — Cloud Controls Matrix v4.0 (Supply Chain Management, Transparency and Accountability domain)
  7. npm Security Advisory — Best Practices for Package Publishers
  8. OWASP — Software Component Verification Standard (SCVS)

This blog post was written for both general and professional audiences. Certification callouts are for educational reference only and do not constitute official exam guidance. Always refer to official body of knowledge materials for examination preparation.

Tags: #SupplyChainSecurity #npm #CISSP #CCSP #AAISM #CyberSecurity #MistralAI #TanStack #UiPath #DeveloperSecurity #ZeroTrust #SoftwareSupplyChain #Malware2026

OTP tools and the risk of DLL Sideloading

June 7, 2024

Recently i was doing some research around OTP softwares much like Google Authenticator or MS Authenticator and came across the topic of DLL Sideloading. Though this topic is quite old, i thought it is good to share me learning outcome.

Okay, in simple terms, imagine you have a secret code that can open a magical door in a castle. But instead of keeping this code safe, you leave it lying around where someone naughty can find it. Now, that naughty person uses your code to open the magical door and sneak into the castle, causing mischief.

In computer terms, a DLL (Dynamic Link Library) is like a special code that helps programs run smoothly. Now, a DLL Sideloading attack is when a sneaky person tricks a computer into using a bad DLL instead of the good one. Just like using the wrong key for the magical door, this bad DLL can let naughty things happen on the computer, like letting viruses or bad software sneak in. So, it’s important to keep our computer’s keys (DLLs) safe and not let any sneaky tricks happen!

DLL sideloading is an attack technique where a malicious DLL (Dynamic Link Library) file is placed in a directory that is trusted or commonly accessed by a legitimate application. When the application runs, it inadvertently loads and executes the malicious DLL instead of the legitimate one.

Reasons Why It Is Difficult to Deal With:

  1. Automatic Loading: The runtime DLL required for the one-time password (OTP) tool is automatically loaded by Windows, which means the system expects and trusts certain DLLs to be present and executable without user intervention.
  2. Fixed DLL Specification: The OTP tool does not allow the user to specify which DLLs to load, relying instead on default system behavior to find and load the necessary libraries.
  3. Security Environment: Ensuring that the device running the OTP tool is in an up-to-date security environment can reduce the risk. This includes maintaining the latest security patches, antivirus definitions, and security configurations.

Mitigations:

  • Keep Software and OS Updated: Regularly update the operating system and all software to patch known vulnerabilities.
  • Antivirus/Antimalware Tools: Use reliable antivirus and antimalware tools to detect and remove malicious DLLs.
  • Application Whitelisting: Implement application whitelisting to prevent unauthorized DLLs from being loaded.
  • Directory Permissions: Restrict write permissions to directories where legitimate DLLs are stored to prevent unauthorized modifications.
  • Monitoring and Logging: Continuously monitor and log application behavior to detect and respond to abnormal DLL loading activities.

The difference between path-based and signature-based DLL loading methods lies in how the operating system or application identifies and loads the required Dynamic Link Libraries (DLLs).

Path-Based DLL Loading

Description:

  • Method: The operating system or application loads a DLL based on its file path. This means the system will search for the DLL in specific directories in a predetermined order until it finds a matching file name.
  • Search Order: Typically, the search order might include the application’s directory, system directories (like System32), the Windows directory, and directories listed in the system’s PATH environment variable.
  • Risks: Path-based loading is susceptible to DLL hijacking or sideloading attacks. If a malicious DLL with the same name as a legitimate DLL is placed in a directory that is searched earlier in the order, the malicious DLL will be loaded instead of the legitimate one.

Example: If an application needs a DLL called example.dll, it might look in:

  1. The application’s own directory.
  2. The system directory (e.g., C:\Windows\System32).
  3. The Windows directory (e.g., C:\Windows).
  4. Any directories listed in the PATH environment variable.

Signature-Based DLL Loading

Description:

  • Method: The operating system or application loads a DLL based on a digital signature that verifies the identity and integrity of the DLL. This involves using cryptographic methods to ensure that the DLL has not been tampered with and is from a trusted source.
  • Verification Process: The system checks the digital signature against a trusted certificate authority (CA). If the signature is valid and the DLL is from a trusted source, the DLL is loaded.
  • Advantages: This method enhances security by ensuring that only DLLs from trusted sources are loaded, mitigating risks from malicious or tampered DLLs.

Example: An application might require a DLL to have a specific digital signature from a trusted CA. Before loading example.dll, the system checks its signature against the trusted CA. If the signature is valid and trusted, the DLL is loaded; otherwise, it is rejected.

Comparison

Path-Based DLL Loading:

  • Pros:
    • Simpler and faster, as it relies on the file path and name.
    • No need for complex verification processes.
  • Cons:
    • Vulnerable to attacks such as DLL hijacking or sideloading.
    • Relies heavily on the correct configuration of directory paths.

Signature-Based DLL Loading:

  • Pros:
    • More secure as it ensures the integrity and authenticity of the DLL.
    • Reduces the risk of loading malicious or tampered DLLs.
  • Cons:
    • Requires a valid digital signature and access to a trusted CA.
    • Slightly more complex and resource-intensive due to the need for cryptographic verification.

Mitigation Strategies

To mitigate the risks associated with path-based DLL loading:

  • Use Absolute Paths: Specify absolute paths to DLLs whenever possible to avoid ambiguity.
  • Directory Permissions: Secure directories by restricting write permissions to prevent unauthorized placement of malicious DLLs.
  • Application Whitelisting: Implement whitelisting to allow only known and trusted DLLs to be loaded.

For signature-based DLL loading:

  • Regular Updates: Ensure that certificates and signatures are kept up-to-date.
  • Trusted Sources: Only use DLLs from trusted and verified sources.
  • Monitor and Audit: Regularly monitor and audit DLL usage and loading processes to detect any anomalies.

By understanding and implementing these methods appropriately, organizations can significantly enhance their application’s security against DLL-related threats.

If laptops are secured and properly controlled for antivirus and patches, the likelihood of exploitation through DLL sideloading vulnerabilities is significantly reduced. However, it is essential to understand that while these measures provide a robust defense, they do not entirely eliminate the risk. Here’s why:

Factors Reducing the Risk

  1. Antivirus and Antimalware Protection:
    • Real-Time Protection: Modern antivirus and antimalware solutions offer real-time protection that can detect and block known malicious DLLs before they can be executed.
    • Heuristic Analysis: These tools use heuristic and behavioral analysis to detect suspicious activities that might indicate a DLL sideloading attempt, even if the specific malware is not in their signature database.
  2. Regular Patching and Updates:
    • Operating System Updates: Regularly updating the operating system ensures that known vulnerabilities, including those that might facilitate DLL sideloading, are patched.
    • Application Updates: Keeping applications up-to-date helps close security loopholes that could be exploited by malicious DLLs.
  3. Controlled Environment:
    • Restricted Administrative Access: Limiting administrative privileges can prevent unauthorized installation of malicious software that might place a malicious DLL in the system.
    • Application Whitelisting: Implementing application whitelisting can ensure that only approved and trusted applications and their DLLs are executed.

Remaining Risk Factors

  1. Zero-Day Exploits:
    • Unknown Vulnerabilities: Even with up-to-date systems and antivirus software, zero-day vulnerabilities (previously unknown security flaws) can be exploited by sophisticated attackers to bypass these defenses.
  2. User Behavior:
    • Phishing and Social Engineering: Users might inadvertently download and execute malicious files if they are tricked by phishing attacks or other forms of social engineering.
  3. Sophisticated Malware:
    • Advanced Persistent Threats (APTs): Some malware is specifically designed to evade detection by antivirus software and can employ advanced techniques to achieve DLL sideloading.

Overall Likelihood

Given the strong security measures in place (antivirus, patches, controlled environment), the likelihood of exploitation through DLL sideloading is low but not zero. The effectiveness of these measures largely depends on their consistent and proper implementation.

Mitigations to Further Reduce Risk

  • Enhanced Monitoring: Implementing advanced endpoint detection and response (EDR) tools can provide deeper insights into system activities and potential threats.
  • User Education: Regular training for users on recognizing phishing attempts and other social engineering tactics can reduce the likelihood of accidental malware execution.
  • Regular Security Audits: Conducting periodic security audits can help identify and mitigate potential vulnerabilities that might have been overlooked.

By maintaining a vigilant and layered security approach, the risk of DLL sideloading exploitation can be minimized to a very low level.