Coordinated Supply Chain Attack Targets Over 140 Npm Packages, SlowMist Says

A coordinated supply chain attack is underway targeting more than 140 npm packages, with affected packages automatically adding a dependency that resolves to a malicious version, according to SlowMist monitoring. According to Foresight News, the impacted packages add a dependency on easy-day-js@^1.11.21 during installation, which automatically resolves to the malicious [email protected]. The malicious package triggers attacker-controlled code through installation hooks. SlowMist said potential attacker actions include executing code during installation, maintaining persistence on Windows, macOS, and Linux, collecting browser history, inventorying cryptocurrency wallet extensions, exposing credentials or CI keys through follow-up actions, and exfiltrating data. For systems that installed affected versions, SlowMist advised treating them as potentially compromised. Recommended steps include removing the malicious version and easy-day-js, deleting node_modules and package caches, reinstalling known clean versions using verified lockfiles, isolating affected hosts, preserving logs, removing persistence artifacts, and rotating potentially exposed credentials related to npm, GitHub, cloud services, SSH/Git, CI/CD, and wallets.