WhiteSource tracked an average of 32,000 new npm packages released each month in 2021. This level of activity allowed threat actors to launch a number of attacks, including:
- Software supply chain attacks:Used to steal data, corrupt targeted systems, and gain access across networks via lateral movement.
- Cryptojacking: When a malicious actor takes control of a victim’s computing resources to mine cryptocurrency.
- Data theft: Using keyloggers, screen scrapers, spyware, adware, bots, etc., attackers steal victims’ private and/or proprietary data.
- Security Research: Attackers create packages that falsely claim to be designed for security research but actually contain malicious code.
“With an average of over 17,000 new npm package versions released daily in 2021, there is no doubt that package update activity should be closely monitored,” said Rami Sass, co-founder and CEO from White Source. “Unfortunately, this popularity is used by threat actors to spread malware and launch attacks that harm businesses and individuals. Our latest threat report is designed to educate readers about npm and how threat actors threat use it, to better protect developers, businesses, and users from malicious behavior.”
In addition to describing what npm is and how it is used by threat actors, the report identifies five key facts about npm package security, as well as best practices for thwarting npm attacks.
To see if you have hidden supply chain risks in your organization, download WhiteSource Diffend here.
To learn more about the report’s findings and download the full report, visit this link.
About White Source
WhiteSource helps organizations accelerate secure software development atscale. We provide automated tools that help bridge the security knowledge gap, easily integrating into the software development lifecycle and going beyond detection with a remediation-focused approach. WhiteSource is powered by the most comprehensive vulnerability database in the industry, providing the broadest coverage for threats and attack vectors. Our solution helps companies such as Microsoft, IBM, Comcast, Philips and many others reduce security risks and increase the productivity of their security and development teams. For more information, visit www.whitesourcesoftware.com.