An NPM package with 2 million weekly downloads had malicious code injected into it…
Casey Ellis, CTO at Bugcrowd:
“Last week an attacker breached a widely used (2M+ installs) Node.js module. The attacker began by submitting to the project, building trust, and eventually gaining owner-level access, which enabled the attacker to push a compromised version, snarfing Bitcoin and Ethereum hot wallet credentials so they could be stolen and used for malicious activity.
The main takeaway with this attack is that in the world of modern software, it’s turtles all the way down… Just because the code you write is secure, doesn’t mean that the code other developers write for you is. The only way to get ahead of this is to practice deep and continuous abuse-case (i.e., security) testing.”