← All stories

Datadog Security Labs

Learnings from recent npm supply chain compromises

2025-10-30 · Read original ↗

ATT&CK techniques detected

18 predictions

T1195.001Compromise Software Dependencies and Development Tools

100%

“learnings from recent npm supply chain compromises overview there has been a recent surge in successful, large - scale supply chain attacks, with three incidents compromising a combined total of more than 500 npm packages. attackers continue to target the software supply chain, a…”

Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.

No matches for .

Loading techniques…

T1195.001Compromise Software Dependencies and Development Tools

99%

“- styles. the attackers injected obfuscated, browser - based malware into more than 18 npm packages. the malicious code functioned as a crypto stealer, hooking browser apis to hijack cryptocurrency transactions by silently replacing wallet addresses with attacker - controlled one…”

Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.

No matches for .

Loading techniques…

T1195.001Compromise Software Dependencies and Development Tools

98%

“attackers then exfiltrated the stolen data to newly created, public github repositories under the victims ’ own accounts, using a consistent naming convention like s1ngularity - repository. in the attack ’ s second phase, the stolen github tokens were used to change thousands of …”

Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.

No matches for .

Loading techniques…

T1195.001Compromise Software Dependencies and Development Tools

98%

“security by adding additional verification steps to prevent attackers from easily exploiting stolen credentials, even if a token or password has been leaked. although fine - grained access tokens should be used whenever possible, enabling mfa helps secure accounts in scenarios wh…”

Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.

No matches for .

Loading techniques…

T1195.001Compromise Software Dependencies and Development Tools

97%

“is to protect developer workstations from compromise and stop supply chain attacks before they reach production. references - https : / / socket. dev / blog / npm - phishing - email - targets - developers - with - typosquatted - domain - https : / / socket. dev / blog / ongoing -…”

Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.

No matches for .

Loading techniques…

T1195.001Compromise Software Dependencies and Development Tools

95%

“attacks. what went right? security researchers, npm maintainers, and github acted quickly to limit the impact of the incidents. github disabled the newly created repositories to limit data exposure. although npm was slow to remove the vulnerable packages, nx acted quickly to publ…”

Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.

No matches for .

Loading techniques…

T1195.001Compromise Software Dependencies and Development Tools

95%

“npm pwn request incidents are not the only recent examples of attackers targeting github actions. on september 2, 2025, a separate campaign known as ghostactions leveraged a compromised pypi maintainer account to insert a malicious github actions workflow. the workflow was design…”

Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.

No matches for .

Loading techniques…

T1195.001Compromise Software Dependencies and Development Tools

92%

“##i - hulud attack, they used github actions to exfiltrate secrets from compromised repositories, sent them to webhook [. ] site, migrated private repositories to public, and appended - migration to their names. the scale of these attacks underscores the importance of securing ci…”

Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.

No matches for .

Loading techniques…

T1195.001Compromise Software Dependencies and Development Tools

92%

“helps quickly identify at - risk projects. customers can also use the static code analysis ( sast ) product to identify vulnerabilities in github actions, using two rules specifically designed to detect script injection through user controlled values and dangerous github actions …”

Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.

No matches for .

Loading techniques…

T1195.001Compromise Software Dependencies and Development Tools

82%

“. this setting creates a buffer when dependencies are pinned to the latest version of a package, reducing the likelihood of immediate compromise. if adopted widely, this feature could significantly decrease the success rate of supply chain attacks. as of the publication of this p…”

Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.

No matches for .

Loading techniques…

T1567.001Exfiltration to Code Repository

75%

“attackers then exfiltrated the stolen data to newly created, public github repositories under the victims ’ own accounts, using a consistent naming convention like s1ngularity - repository. in the attack ’ s second phase, the stolen github tokens were used to change thousands of …”

Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.

No matches for .

Loading techniques…

T1587Develop Capabilities

65%

“learnings from recent npm supply chain compromises overview there has been a recent surge in successful, large - scale supply chain attacks, with three incidents compromising a combined total of more than 500 npm packages. attackers continue to target the software supply chain, a…”

Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.

No matches for .

Loading techniques…

T1528Steal Application Access Token

64%

“- related phishing campaign : in july 2025, attackers spoofed an npm site to target developers through a typosquatted domain. these incidents reinforce the reality that breaching a single npm account can cascade into the compromise of dozens, even hundreds, of packages. targets l…”

Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.

No matches for .

Loading techniques…

T1195.001Compromise Software Dependencies and Development Tools

61%

“- related phishing campaign : in july 2025, attackers spoofed an npm site to target developers through a typosquatted domain. these incidents reinforce the reality that breaching a single npm account can cascade into the compromise of dozens, even hundreds, of packages. targets l…”

Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.

No matches for .

Loading techniques…

T1587Develop Capabilities

47%

“- styles. the attackers injected obfuscated, browser - based malware into more than 18 npm packages. the malicious code functioned as a crypto stealer, hooking browser apis to hijack cryptocurrency transactions by silently replacing wallet addresses with attacker - controlled one…”

Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.

No matches for .

Loading techniques…

T1195.001Compromise Software Dependencies and Development Tools

44%

“, which further extended their reach. once inside, the attackers used github actions workflows to exfiltrate secrets from compromised repositories and send them to webhook [. ] site. they also migrated private repositories to public, appending “ - migration ” to the repository na…”

Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.

No matches for .

Loading techniques…

T1525Implant Internal Image

41%

“- related phishing campaign : in july 2025, attackers spoofed an npm site to target developers through a typosquatted domain. these incidents reinforce the reality that breaching a single npm account can cascade into the compromise of dozens, even hundreds, of packages. targets l…”

Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.

No matches for .

Loading techniques…

T1587Develop Capabilities

34%

“attackers then exfiltrated the stolen data to newly created, public github repositories under the victims ’ own accounts, using a consistent naming convention like s1ngularity - repository. in the attack ’ s second phase, the stolen github tokens were used to change thousands of …”

Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.

No matches for .

Loading techniques…

Summary

A look at recent npm supply chain compromises and how we can learn from them to better prepare for future incidents.