This post is also available in:
Français (French)
Insidious malware infiltrates more than a dozen popular NPM packages, exposing millions of projects to an unprecedented NPM supply chain attack.
Understanding the NPM supply chain attack and its impact
The attack, recently disclosed by Aikido Security, compromised more than a dozen NPM packages with over a million weekly downloads. This attack specifically targeted the React Native Aria ecosystem, an open-source library widely used in the development of modern mobile and web applications. The attackers injected Remote Access Trojan (RAT) malware into these packages, enabling remote command execution, screen capture, and file exfiltration from infected machines.
This NPM supply chain attack illustrates the growing vulnerability of open source software chains, where trust in maintainers and dependencies can be exploited on a massive scale.
How does malware work and who are its targets?
The malware discovered in this NPM supply chain attack allows cybercriminals to:
- Execute shell commands remotely,
- Capturing screenshots without the user’s knowledge,
- Transfer sensitive files to external servers,
- Retrieve system information and public IP,
- Persist on the system, especially via a specific folder under Windows (%LOCALAPPDATA%ProgramsPythonPython3127).
The consequences are multiple: data theft, cryptocurrency mining, service interruption, and even propagation to other connected environments. The compromised packages, a list of which is published by Aikido, are used by developers around the world, which amplifies the scale of the attack.
Why is this NPM supply chain attack so worrying?
This NPM supply chain attack is not the result of an accidental flaw, but rather a deliberate compromise of trust in the open source ecosystem. Attackers are targeting popular packages, leveraging their reputation to distribute their malware on a large scale. This demonstrates that the security of open source dependencies is now a major issue for the entire digital sector, from independent developers to large enterprises.
How to protect yourself against NPM supply chain attacks?
Faced with this NPM supply chain attack, several security measures are required:
- Precisely inventory all open source dependencies used in your projects to react quickly in the event of an alert.
- Use lock files to freeze versions and prevent unexpected updates.
- Check the update history and maintainer identity before integrating a new package.
- Automate security scans in the CI/CD chain to detect suspicious or malicious behavior.
- Monitor outgoing connections to suspicious IP addresses listed by Aikido (eg: 136.0.9[.]8, 85.239.62[.]36).
- Immediately update or downgrade affected packages to a version prior to June 6, 2025 to ensure code integrity.
Collective vigilance and automation of controls are essential to limit the spread of this type of attack.
Which sectors are most exposed?
The NPM supply chain attack particularly impacts:
- With technology companies relying heavily on microservices and modular architectures,
- Startups that prioritize speed of development through the integration of open source packages,
- SaaS solution publishers,
- Mobile and web application developers using React Native and its dependencies.
By compromising the software supply chain, attackers can impact thousands of applications and services, jeopardizing user data security and business continuity.
Perspectives and challenges for the future of open source security
This NPM supply chain attack on the React Native Aria ecosystem marks a turning point: trust in open source must now be accompanied by stronger controls and a culture of transparency. Companies and developers must adopt a proactive stance, integrating security into the core of the software lifecycle. The future of digital innovation will depend on the collective ability to anticipate and counter these sophisticated threats.
And you, what measures have you implemented to secure your open source dependencies? Do you think the community needs to strengthen governance around NPM packages? Share your experiences and solutions in the comments!