A recent attack campaign has targeted the npm package registry , with the intention of tricking developers into downloading malicious modules   . This campaign bears similarities to a previous attack wave attributed to North Korean threat actors .
Between August 9 and 12, 2023  , nine packages were uploaded to npm as part of this attack. The attackers utilized a postinstall hook in the package.json file to execute an index.js file  , which then initiated a daemon process that communicated with a remote server . Through this process, the attackers monitored machine GUIDs and selectively sent additional payloads to specific machines  .
In addition, a typosquat version of a popular Ethereum package on npm was discovered  . This version made an HTTP request to a Chinese server , raising concerns about its legitimacy.
Furthermore, the widely used NuGet package Moq faced criticism for introducing a new dependency that extracted developer email addresses without consent . This raised concerns about compliance with GDPR regulations.
These incidents highlight the vulnerability of organizations to supply chain attacks . It is crucial to implement mitigations such as publishing internal packages under organization scopes and reserving internal package names in the public registry as placeholders . These measures can help protect against similar attacks in the future and ensure compliance with data protection regulations.