On September 8, 2025, a sophisticated supply-chain attack targeted 18 widely used NPM packages (Node Package Manager).
Together, these packages account for 2.8 billion downloads per week, making this one of the largest NPM attacks ever recorded.
What is a supply-chain attack?
A supply-chain attack is a type of cyberattack where the attacker does not target the end victim directly.
Instead, they compromise a trusted source by injecting malicious code, such as through an update to an NPM package.
This often happens without the package maintainer being aware of it, and the malicious code is frequently introduced via phishing attacks against the supplier or maintainer.
These threats do not only affect applications in production, they also impact the development phase of projects.
Therefore, security routines and ways of working must be clearly defined from the very beginning of a project.
It is not enough to only perform penetration testing before launch or to monitor an application after it has gone live.
Key takeaways
The attack resulted in malicious updates being published to packages that were previously considered trustworthy.
This caused malicious code to execute when users installed the affected packages.
The goal of the attack was to locate sensitive information such as keys or tokens, enabling attackers to gain access to databases, servers, or cloud services.
These types of attacks are very difficult to detect. At A North Group, we therefore provide recommendations on how your team can reduce the risk of becoming a victim of such attacks:
- Regular dependency updates
Ensure that all NPM packages and their dependencies are kept up to date to minimize exposure to known vulnerabilities. At the same time: don’t always be the first to upgrade. In many cases, it’s wise to wait and verify that a new version is stable before adopting it. - Use security tools
Implement tools that can analyze dependencies and detect malicious code. - Monitor unusual activity
Keep an eye on systems and networks to identify signs of potential attacks. - Stay informed about security incidents and vulnerabilities
Actively track security advisories related to the third-party dependencies your application relies on.
This attack highlights the importance of having robust security practices in place, especially when working with third-party dependencies in modern development projects.