
New npm Supply Chain Attack Self-Spreads to Steal Auth Tokens
Security
A new supply chain attack is targeting the npm ecosystem by stealing developer authentication tokens and propagating through packages published from compromised accounts. The attack involves malicious npm packages that execute post-install scripts to harvest credentials and spread further. No specific CVE IDs, dates, or victim counts were disclosed in the report. The primary impact includes unauthorized access to developer accounts and potential distribution of additional malicious packages. The attack leverages self-spreading mechanisms to amplify its reach within the npm environment.