JavaScript packages with billions of downloads were injected with malicious code in world's largest supply chain hack, geared to steal crypto — a phishing email is all it took to undermine npm packages

In the world's largest supply chain hack, 18 JavaScript packages with over 2 billion weekly downloads were injected with malicious code aimed at stealing cryptocurrency. The compromised code intercepted crypto and web3 activity in browsers, redirecting funds to attacker-controlled accounts. The attack, distributed via npm, was facilitated by a phishing email that tricked the maintainer into unknowingly modifying the packages. This incident highlights ongoing vulnerabilities in software development despite efforts to improve security measures like two-factor authentication and software bills of materials. The hack underscores the need for fundamental changes in software development practices to prevent future breaches.