Malware Hits npm, PyPI in Global Supply Chain Attack

A new supply chain malware campaign is targeting the npm and PyPI open-source ecosystems, compromising over a dozen packages linked to GlueStack, according to cybersecurity researchers. The attack, disclosed by Aikido Security, involves a malicious modification to the ‘lib/commonjs/index.js’ file within these packages. The alteration enables attackers to execute shell commands, capture screenshots, and upload files from infected machines, raising concerns about remote access and data exfiltration capabilities.

The compromised packages, collectively downloaded nearly one million times, could impact a broad range of developers and organizations globally. While the specific distribution method of the altered packages remains unclear, their inclusion in widely used open-source repositories exacerbates the risk of widespread infection.

The incident highlights the growing threat of software supply chain attacks, as adversaries increasingly target trusted development tools and dependencies. Security teams are urged to audit software dependencies and monitor for suspicious activity in their development pipelines.