DevSec Station
DevSec Station is a security focused podcast for software developers who want to create amazing applications. Hosted by Tanya Janca, also known as SheHacksPurple, these short lessons will help you level up.
DevSec Station
NPM Supply Chain Attack: Active Worm Stealing Tokens, SSH Keys, and Credentials
Use Left/Right to seek, Home/End to jump to start or end. Hold shift to jump forward or backward.
🚨 Emergency DevSec Station update.
There’s an active npm supply chain attack happening right now.
Malicious npm packages are running install scripts that quietly steal:
• SSH keys
• AWS credentials
• GitHub tokens
• Browser passwords
• Crypto wallets
From there, the attack uses your npm publish token to spread into every package you maintain. That’s how this turns into a worm across the npm ecosystem.
This is not theoretical. It’s already in the wild.
👉 Immediate fix:
Run
npm config set ignore-scripts true
This disables install scripts and blocks the main attack path.
If you work in JavaScript, Node.js, DevSecOps, or application security, take action now and tell your team.
Watch the full 60-second breakdown and share this with anyone who installs npm packages.
#npmSecurity #SupplyChainAttack #DevSecOps #AppSec #JavaScriptSecurity #CyberSecurityAlert
Hi, I'm Tanya Janka, also known as SheX Purple, and I'm interrupting our regular DevSec station programming because I don't feel that this can wait. There's an active NPM supply chain attack happening right now. I know there's been a lot of them recently, but this one is a big one, and I wanted to tell you about it. Packages that look completely normal and legitimate are being compromised and published with malicious versions that are stealing your credentials. It's the moment that you run NPM install when it steals it via post-install script. They're taking SSH keys, AWS credentials, GitHub tokens, browser passwords, crypto wallets, literally everything that it can grab, it is stealing from you. And then it will use your published token to infect every single package that you maintain. I would call this attack a worm. So here's what I would like you to do right now. If you could open your terminal and run the following command, which obviously you will decide for yourself, but this is a request, not a demand. npm config set, ignore dash scripts. True. What this will mean is that post-install scripts don't run anymore. So I just want you to run one command which tells npm to never automatically run a post-install script again without your explicit permission. I realize that occasionally a legitimate package will break as a result of this. I that's it might sound weird, but I want this. Um, this will be friction, and I want us to treat it as a feature, a security feature, not a bug. It's alerting you that something's happening. It means that you have to consciously decide to trust the script before it runs on your machine. Um, that's how this would work from now on. So instead of post-install scripts that are potentially malicious running automatically, the post-install script would come to your attention. You review it and decide that it is good. Um, I would hope that you could set this for every org, for every project, for every developer on your team. That is what I would like. I want you to set it for yourself today. Um I'd like you to talk to your team about setting it for everyone as soon as possible. Um, on top of this, if you could run a software composition analysis tool, also known as SCA, um, they can catch these sort of things fairly often, fairly quickly. If you could do both, you'd get even better results. Uh, thank you very much. Um, I will be back with your regularly scheduled programming next episode. Thank you.
