Supply chain attacks are a real threat

2025-03-19

When was the last time you reviewed your third-party dependencies for the web app you're building?

If you've been a web developer for some time, you know that the JavaScript ecosystem changes rapidly. This includes dependencies from package managers such as npm.

Over the last few years, there's been a steady rise of supply chain attacks targeting npm. There's a wild mix of attacks. Some are trying to gain access to crypto wallets, such as North Korea's Lazarus Group latest attack. Some are so-called "protestware" incidents, whereby maintainers of popular packages intentionally brick their packages, either by removing them from npm entirely or changing the code. The most famous example of this is the npm left-pad incident.

A real threat for most projects, though, are typosquatting attacks, where attackers closely match the original package name they're trying to emulate (for example, "puppeter" instead of "puppeteer"), in the hopes that developers carelessly install these packages.

One such attack is currently ongoing since October 2024, with over 250 malicious packages published.

If you don't have a process in place to regularly review your third-party dependencies, you should establish one now. Supply chain attacks are not going anywhere.

Yours,
Søren

Want to get articles like these in your inbox every week?

Delivered straight to your inbox every Wednesday.