How npm install led to a supply chain attack
Posted by insidethemask@reddit | programming | View on Reddit | 7 comments
This is a breakdown of the recent axios npm supply chain attack and how it worked under the hood.
obetu5432@reddit
how having electricity led to a supply chain attack
insidethemask@reddit (OP)
Yeahh, electricity is required too.😂 Point was just how something as routine as npm install becomes the execution point when dependency trust is abused.
dstutz@reddit
NPM, Javascript? 😂 indeed...
insidethemask@reddit (OP)
😂😂
youngbull@reddit
npm install leading to a supply chain attack isn't exactly a novel scenario...
insidethemask@reddit (OP)
Agreed - supply chain attacks via npm aren't new. What stood out to me here was how it was executed like no direct code modification in axios and abuse of postinstall for cross-platform execution. Also interesting that traditional tools didn't flag it initially. Feels like the technique is evolving even if the concept isn't new 😄
insidethemask@reddit (OP)
Link to the article: https://medium.com/@am2403054/axios-npm-supply-chain-attack-inside-the-3-hour-compromise-that-delivered-a-cross-platform-rat-fdb0fe4c4dd5