Npm Cyberattack Underscores ‘Real Resilience’ Needed To Protect Supply Chain

Open-source components like the compromised npm packages, make up 90 percent of modern software applications.

A recently discovered cyberattack that involved malware-injected packages widely downloaded by developers to build JavaScript projects, raised considerable alarms about the safety of the software supply chain.

Npm is a package manager where developers can share code to create JavaScript applications. GitHub acquired npm in 2020.

Alerts about the code packages being infected fired off Monday across social media.

The targeted npm packages are downloaded 2 billion times per week, said Mackenzie Jackson, a prominent developer and security advocate, in a LinkedIn post.

That level of download activity indicates the far-reaching presence of these packages which could be part of software stacks anywhere, including within the software supply chain.

In an emailed statement to MES Computing, a spokesperson from GitHub confirmed that “all impacted packages have been removed, and there is currently no evidence of any compromise to GitHub or its systems.”

The affected npm packages were disabled, the spokesperson also said. “We encourage our community to report abuse and spam to help us keep the platform safe.”

The threat to the supply chain still is what makes this compromise particularly alarming, one CEO said.

“As a central hub for modern software, nearly every company with an online presence will depend on npm, often without realizing. Any compromise's impact will spread far and wide, making a breach like this seem especially alarming,” said Jonathan Gill, CEO of Panaseer, which provides a Continuous Controls Monitoring (CCM) security platform.

Open-source components like the compromised npm packages, make up 90 percent of modern software applications and are therefore ubiquitous throughout the software supply chain, according to a report from Sonatype, which provides automated software supply chain security.

Sonatype’s report also showed a 156 percent year-over-year increase in open-source malicious packages from 2034 to 2024.

Gill offered some advice for IT leaders on supply chain security: “To avoid feeling overwhelmed by attacks which expose not just one company but entire ecosystems, security teams need to focus on what they can and can't control. They can’t control the outer circle: the attackers, the security posture of your suppliers, or the unknown flaws in third-party code,” he said.

“But they can control the inner circle: their own assets and security controls, and their effectiveness.”

He said it’s also good practice to maximize visibility into “what’s knowable.”

“Real resilience comes from proof, meaning verifiable data, not checkboxes. Organizations that master their inner circle gain the clarity, agility, and confidence to respond effectively to the next supply chain attack,” Gill said.