• Home
  • Newsroom
  • WhiteSource Threat Report Reveals Massive Uptick In Cyberattacks Related To JavaScript npm

WhiteSource Threat Report Reveals Massive Uptick In Cyberattacks Related To JavaScript npm

More than 1,300 malicious npm packages have been discovered for use in supply chain attacks, cryptojacking, data stealing and more

TEL AVIV AND BOSTON – February 2 – WhiteSource, a leader in open source security and management, today released a new threat report based on malicious activity found in npm, the most popular JavaScript package manager used by developers worldwide. The report, Popular Javascript Package Registry Is a Playground For Malicious Actors, is based on findings from more than 1,300 malicious npm packages identified in 2021 by WhiteSource Diffend, the company’s flagship automated malware detection platform.

JavaScript is the most commonly used programming language today, with more than 16 million developers worldwide relying on its speed, strong documentation, and interoperability with other programming languages. But the popularity of JavaScript has also attracted attention from threat actors, who increasingly target JavaScript’s open-source package managers and package registries – the most widely used of which is npm, with more than 1.8 million active packages.

WhiteSource tracked an average of 32,000 new npm packages published every month during 2021. That level of activity enabled threat actors to launch a number of attacks, including:

  • Software supply chain attacks: Used to steal data, corrupt targeted systems, and gain access throughout networks via lateral movement.
  • Cryptojacking: When a threat actor takes control of a victim’s computing resources to mine cryptocurrency.
  • Data stealing: Using keyloggers, screen scrapers, spyware, adware, bots, and more, attackers steal private and/or proprietary data from victims.
  • Security research: Attackers create packages that falsely claim to be designed for security research but actually contain malicious code.

“With an average of over 17,000 new npm package versions being published daily in 2021, there’s no question that package update activity needs to be closely monitored,” said Rami Sass, Co-Founder and CEO of WhiteSource. “Unfortunately, that popularity is being used by threat actors to spread malware and launch attacks that harm businesses and individuals. Our newest threat report is designed to educate readers about npm and how threat actors are using it, in order to better protect developers, companies, and users against malicious behavior.”

In addition to outlining what npm is and how it’s being used by threat actors, the report identifies five must-know facts about npm package security, as well as best practices to thwart npm attacks. 

To see if you have supply chain risks hidden in your organization, download WhiteSource Diffend here

To learn more about the report’s findings and download the full report, visit this link.

About WhiteSource

WhiteSource helps organizations accelerate‌ the development of secure software ‌at‌ ‌scale‌. We provide automated tools that help bridge the security knowledge gap, integrating easily into the software development life cycle and going beyond detection with a remediation-first approach. WhiteSource is built on the most comprehensive vulnerability database in the industry, providing the widest coverage for threats and attack vectors. Our solution helps enterprises like Microsoft, IBM, Comcast, Philips, and many more reduce security risk and increase the productivity of their security and development teams. For more information, visit www.whitesourcesoftware.com.

Contacts:

WhiteSource

Jacqueline Hogue
Director of Corporate Communications

jacqueline.hogue@whitesourcesoftware.com

Meet The Author

Adam Murray

Adam Murray is a content writer at WhiteSource. He began his career in corporate communications and PR, in London and New York, before moving to Tel Aviv. He’s spent the last ten years working with tech companies like Amdocs, Gilat Satellite Systems, Allot Communications, and Sisense. He holds a Ph.D. in English Literature. When he’s not spending time with his wife and son, he’s preoccupied with his beloved football team, Tottenham Hotspur.

Subscribe to Our Blog