Science & Technology

Critical Security Alert: Prevent Supply Chain Attacks via npm Scripts

Austin Rhodes
Austin Rhodes
20 days ago
1
80

We recently identified a Supply Chain Attack attempt in our repository. This post outlines the attack mechanism and, more importantly, the proper way to handle dependencies safely.

1. How the Attack Was Structured

The attacker pushed a malicious commit (72bec92) containing:

  • A hidden script: preinstall.js (obfuscated with Unicode).
  • A trigger: package.json was modified to include "preinstall": "node preinstall.js".

By default, running a standard npm install would automatically execute this script BEFORE any packages are installed, potentially compromising .env files, SSH keys, or API tokens via AES-256-CBC decryption and eval().

2. The Solution: Use --ignore-scripts

The critical takeaway here is that the malware is powerless if it is never executed. Even if the malicious files exist in the repository, they remain "dormant" and harmless unless the npm lifecycle triggers them.

I strongly recommend everyone use the following command:

npm install --ignore-scripts

By using this flag:

  1. Execution is Blocked: npm is instructed to skip all scripts (preinstall, postinstall, etc.).
  2. Payload Neutralized: The preinstall.js file is never run, and the eval() command never triggers.
  3. Safety Guaranteed: Even if you have pulled the compromised commit, your environment remains secure.

3. Immediate Recovery Steps

The repository has been cleaned via a force push. To ensure your local environment is safe, please follow these steps:

  • Clean your local branch: Run git pull --rebase to sync with the cleaned origin/main.
  • Standardize your install: Always use --ignore-scripts when working with new or external commits.
  • Audit your environment: If you accidentally ran a plain npm install before the cleanup, treat your secrets as compromised and rotate them immediately (GitHub tokens, Clerk keys, etc.).

4. Summary

A supply chain attack is only successful if we let the scripts run. By making --ignore-scripts a part of our standard workflow, we effectively neutralize these threats before they can even start.

1 Answers

2
Meredith Palmer
Meredith Palmer

If you have CICD on GitHub, GitLab, etc., you should change the environment immediately. Last year I had a similar problem, but I didn't do anything and still got laid off. It's still upsetting to think about, but keep trying!😄

20 days ago