In a newly discovered supply chain attack, attackers last week targeted a range of NPM-hosted JavaScript type testing utilities, several of which were successfully compromised to distribute malware.
Anyone automatically downloading these packages would have been exposed to a backdoor supply chain attack until cleaned versions were installed.
In one example on July 19, attackers loaded the popular is NPM JavaScript type testing utility with malware that went unnoticed for six hours. The bad news was delivered by maintainer Jordan Harband in a post on Bluesky: