The npm platform is the target of another supply chain attack, with crims already compromising 187 packages and counting.

According to Charlie Eriksen, malware researcher at Aikido, the attacker appears to be the same one who targeted Nx at the end of August – a campaign in which developers' secrets, such as credentials, were posted to public GitHub pages.

Socket and Step Security first reported the latest round of attacks on September 15, with 40 packages affected, but Eriksen has since seen 147 additional packages compromised through similar means, including those from security giant CrowdStrike.

However, Eriksen said that the attackers "have upped their game," evolving their tradecraft to adopt a self-propagating worm.

The way the attack works is that miscreants embed a malicious pa

See Full Page