National Cyber Security Center: Mainstream JavaScript package management platform npm suffers supply chain poisoning attacks.

The National Cyber Security Bulletin Center found that the global mainstream JavaScript software package management platform npm was attacked by "sandworm" in a supply chain poisoning attack. Attackers compromised the official maintainer account of npm and rapidly injected a large number of malicious packages, involving over 300 independent program packages and over 600 malicious versions, affecting multiple popular open source projects. When developers install malicious dependency packages, the program will automatically execute malicious code in the local host, CI/CD pipeline environment, stealing sensitive information such as GitHub Token, npm Token, cloud service keys, SSH private keys, Kubernetes credentials, database connection strings, etc. This poisoning attack has extremely strong worm-like self-replicating and lateral spreading capabilities. Attackers can use stolen npm publishing permissions to tamper with and republish other software packages under developers' names, causing the continuous spread of supply chain risks and escalating harm.