More packages poisoned in npm attack, but would-be crypto thieves left pocket change

During the two-hour window on Monday in which hijacked npm versions were available for download, malware-laced packages reached one in 10 cloud environments, according to Wiz researchers. But crypto-craving crims did little more than annoy defenders.

As of Tuesday, the supply-chain attack remains active, and its scope extends beyond the original 18 infected Qix packages to now include five additional compromised DuckDB and coveops/abi packages, according to JFrog.

Wiz warns organizations to assume "malicious versions of popular packages are still available for download and might be automatically included in development pipelines." 

This latest supply-chain attack "highlights how fragile the modern JavaScript ecosystem is, where half of the codebase is dependent on single-line utilities maintained by a single developer," JFrog researcher Andrey Polkovnichenko wrote.

As a refresher, here's what happened on Monday. Qix developer Josh Junon, after being duped by a phishing email, inadvertently authorized a reset of the ...