Back to Intelligence

Npm Supply Chain Attack: Worm-Like Propagation and Credential Theft — Detection and Remediation

SA
Security Arsenal Team
April 25, 2026
5 min read

A sophisticated supply chain attack targeting the npm registry has been identified, characterized by worm-like propagation capabilities and the theft of developer credentials. Unlike typical dependency confusion attacks, this campaign involves malicious packages that actively execute post-install scripts to scan environments, propagate to other projects, and exfiltrate sensitive data. For defenders, the urgency is high: compromise of CI/CD pipelines or developer workstations can lead to widespread code injection and persistent access to cloud infrastructure.

Technical Analysis

Affected Platform: Node.js ecosystems using the npm package manager.

Attack Vector: The attack relies on the installation of typosquatted or compromised malicious packages. Upon execution, these packages leverage the preinstall or postinstall lifecycle scripts to execute arbitrary shell commands.

Attack Chain:

  1. Initial Compromise: Developer installs a malicious package (e.g., canisters or similar obfuscated names).
  2. Execution: The postinstall script triggers, spawning a child shell (e.g., bash, sh, or powershell).
  3. Propagation (Worm-like): The malware scans the filesystem for other package. files to modify them or inject malicious dependencies, effectively spreading the infection to adjacent projects.
  4. Credential Theft: The script searches for and exfiltrates configuration files (e.g., .npmrc, .aws/credentials, .env) containing API keys, tokens, and secrets.
  5. Exfiltration: Data is sent to attacker-controlled Command and Control (C2) servers via curl or wget.

Exploitation Status: Active exploitation confirmed. The worm-like nature allows the malware to move laterally across a developer's local filesystem and potentially into network-mounted code repositories.

Detection & Response

The following detection logic focuses on identifying the anomalous behavior of package managers spawning reconnaissance or exfiltration tools, a deviation from standard build processes.

SIGMA Rules

YAML
---
title: NPM/Node Spawning Shell or Network Tool
id: 8a4f9e12-3b1c-4d5a-8e2f-9c1b2d3e4f5a
status: experimental
description: Detects npm or node processes spawning shells or network utilities commonly used in post-install scripts for data exfiltration.
references:
  - https://attack.mitre.org/techniques/T1059/004/
  - https://attack.mitre.org/techniques/T1071/001/
author: Security Arsenal
date: 2025/04/07
tags:
  - attack.execution
  - attack.t1059.004
  - attack.exfiltration
  - attack.t1071.001
logsource:
  category: process_creation
  product: windows
  # Note: Logic applies equally to Linux via bash logs, adapted here for generic endpoint visibility
detection:
  selection_parent:
    ParentImage|endswith:
      - '\node.exe'
      - '\npm.cmd'
      - '/node'
      - '/npm'
  selection_child:
    Image|endswith:
      - '\curl.exe'
      - '\powershell.exe'
      - '\cmd.exe'
      - '/curl'
      - '/wget'
      - '/bash'
      - '/sh'
  condition: selection_parent and selection_child
falsepositives:
  - Legitimate build scripts that require system utilities (rare during install phase)
level: high
---
title: NPM Process Accessing Sensitive Credential Files
id: b2c3d4e5-6f7a-8b9c-0d1e-2f3a4b5c6d7e
status: experimental
description: Detects npm or node processes reading user credential files such as .npmrc or .env, indicative of credential theft.
references:
  - https://attack.mitre.org/techniques/T1552/001/
author: Security Arsenal
date: 2025/04/07
tags:
  - attack.credential_access
  - attack.t1552.001
logsource:
  category: file_access
  product: windows
detection:
  selection:
    Image|endswith:
      - '\node.exe'
      - '\npm.cmd'
    TargetFilename|contains:
      - '.npmrc'
      - '.env'
      - '.aws'
  condition: selection
falsepositives:
  - Developer tools inspecting configuration
level: medium

KQL (Microsoft Sentinel / Defender)

KQL — Microsoft Sentinel / Defender
// Hunt for NPM/Node processes spawning suspicious children (Windows)
DeviceProcessEvents
| where InitiatingProcessFileName in~ ("node.exe", "npm.cmd", "npm")
| where FileName in~ ("curl.exe", "powershell.exe", "cmd.exe", "bash", "wget", "sh")
| project Timestamp, DeviceName, InitiatingProcessCommandLine, FileName, ProcessCommandLine, AccountName
| order by Timestamp desc

// Hunt for NPM/Node processes accessing credential files
DeviceFileEvents
| where InitiatingProcessFileName in~ ("node.exe", "npm.cmd", "node")
| where FileName in~ (".npmrc", ".env", "credentials", "id_rsa")
| project Timestamp, DeviceName, ActionType, FileName, FolderPath, InitiatingProcessCommandLine, SHA256
| order by Timestamp desc

Velociraptor VQL

VQL — Velociraptor
-- Hunt for suspicious process chains where Node spawns shells or network tools
SELECT Pid, Name, CommandLine, Parent.Pid as ParentPid, Parent.Name as ParentName, Parent.CommandLine as ParentCmd
FROM process_chain()
WHERE Parent.Name =~ "node" OR Parent.Name =~ "npm"
  AND (Name =~ "curl" OR Name =~ "wget" OR Name =~ "bash" OR Name =~ "sh" OR Name =~ "powershell")

-- Hunt for .npmrc access by node processes
SELECT FullPath, Size, Mtime, Btime
FROM glob(globs=["/*/.npmrc", "/*/.env", "/*/.aws/credentials"])
WHERE Mtime > now() - 1h  -- Look for recently modified credential files

Remediation Script (Bash)

Bash / Shell
#!/bin/bash
# Remediation: Audit node_modules for high-risk postinstall scripts

TARGET_DIR="${1:-.}"

if [ ! -d "$TARGET_DIR/node_modules" ]; then
    echo "No node_modules found in $TARGET_DIR"
    exit 0
fi
echo "[+] Scanning for suspicious postinstall scripts in $TARGET_DIR..."

# Find package. files inside node_modules
find "$TARGET_DIR/node_modules" -name "package." -type f | while read -r pkg; do
    # Check if 'postinstall' or 'preinstall' scripts exist
    if grep -qE '("postinstall"|"preinstall")' "$pkg"; then
        echo "[!] Potential risky lifecycle script found in: $pkg"
        # Display the script content for review
        jq '.scripts | select(.postinstall != null or .preinstall != null)' "$pkg"
    fi
done

echo "[+] Scan complete. Review identified packages."
echo "[+] Recommendation: Run 'npm ci' with a clean lockfile or 'npm audit fix' to restore integrity."

Remediation

  1. Identify and Remove: Developers and CI/CD pipelines must immediately audit package. and package-lock. for the identified malicious packages or any recently added dependencies that are not recognized. Remove any suspicious entries.

  2. Credential Rotation: Assume that credentials stored in environment files (.env), .npmrc, or cloud configuration files (.aws/credentials) have been compromised. Rotate all API keys, tokens, and passwords associated with the affected development environment.

  3. Sanitization:

SQL
    Delete the `node_modules` directory entirely and `package-lock.`. Perform a fresh install using `npm ci` (if the lockfile is trusted) or `npm install` after verifying the integrity of `package.`.

  1. Vendor Advisory: Refer to the official npm Security Advisory for specific package names and versions associated with this campaign.

  2. Code Review: Due to the worm-like propagation, scan all adjacent projects and repositories on the same network or workstation for unauthorized modifications to package. files.

Related Resources

Security Arsenal Incident Response Services AlertMonitor Platform Book a SOC Assessment incident-response Intel Hub

incident-responseransomwarebreach-responseforensicsdfirnpmsupply-chainjavascript

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.

Book a SOC AssessmentSee AlertMonitor in Action