Illustration of a broken chain link representing a software supply chain attack on the npm package registry, impacting a data visualization tool.

Cybersecurity

NPM malware attack targets AntV tool

TL;DR: The npm registry has experienced another malware attack, this time affecting the AntV data visualization tool. The incident occurred after an attacker compromised the credentials of a maintainer for the popular `timeago.js` library, highlighting ongoing risks in the open-source software supply chain.

By Neeraj DhimanCSO Online2h ago1 min readupdated 2h ago

Source

Key facts

Category: Cybersecurity
Impact: Low
Published: 2h ago
Source: CSO Online

Full summary

The AntV data visualization tool was targeted in a new npm supply chain attack after a maintainer's account was compromised.

The npm open-source registry has been hit by another supply chain attack, this time impacting users of the AntV data visualization tool. The incident stemmed from the compromised credentials of a maintainer for the popular `timeago.js` JavaScript library. According to security analysts, an attacker gained control of the `atool` npm account, which is responsible for publishing `timeago.js`. This attack vector is more conventional than the recent high-profile incident involving TanStack, which exploited a complex GitHub Actions vulnerability. Instead, this attack relied on gaining direct access to a high-value maintainer account.

This event underscores the persistent threat of supply chain attacks within the software development lifecycle. By targeting a widely-used dependency like `timeago.js`, attackers can inject malicious code that propagates to countless downstream projects and applications that use the AntV tool. The compromise highlights how a single point of failure—in this case, a maintainer's account—can have far-reaching consequences for developers, IT teams, and businesses that rely on the integrity of the open-source ecosystem. It serves as a critical reminder that even trusted packages can become vectors for malware.

The rapid succession of attacks on the npm registry emphasizes the need for heightened security measures across the board. For package maintainers, this means enforcing multi-factor authentication and practicing strong credential hygiene. For developers and organizations consuming these packages, it is crucial to implement dependency scanning tools to quickly identify and respond to compromised components. Continuous monitoring is becoming an essential practice to mitigate these ongoing threats.

Why it matters

This attack highlights the ongoing risk of software supply chain vulnerabilities, where compromising a single popular package can impact thousands of downstream applications and companies.

Business impact

Companies using the AntV data visualization tool or the `timeago.js` library may have inadvertently installed malicious code, exposing them to potential data theft or system compromise. This requires immediate investigation and remediation, potentially causing operational disruption.

⚡ Action needed

Users of the AntV data visualization tool and the `timeago.js` library should immediately review their dependencies for any malicious versions and update to a secure release. It is critical to audit systems for signs of compromise.

Action checklist

1Identify all projects using AntV or `timeago.js`.
2Check for and remove any compromised versions of the packages.
3Update to the latest secure versions of the affected libraries.
4Scan systems and logs for any signs of malicious activity.
5Review and enforce multi-factor authentication for all developer accounts.