BleepingComputer reports that nearly a dozen npm packages, including the widely used 'country-currency-map' package and other cryptocurrency-related packages, have been hijacked with malicious JavaScript code that facilitated the compromise of environment variables, including API and encryption keys, as well as cloud and database credentials.
Only country-currency-map, among nine other infostealer-laced packages, has been removed from npm, according to an analysis from Sonatype, which believed the previously spotless packages to have been targeted by threat actors using the same technique. "Given the concurrent timing of the attacks on multiple packages from distinct maintainers, the first scenario (maintainer accounts takeover) appears to be a more likely scenario as opposed to well-orchestrated phishing attacks," said Sonatype. Threat actors were also more likely to have exploited inadequate npm maintainer account security in conducting the attack, as evidenced by the absence of malware compromise among the impacted npm projects' respective GitHub repositories.
