In this episode of Web News, Matt and Mike dive into two massive worm attacks that recently hit npm, targeting packages used in millions of projects. While the attackers aimed to steal crypto wallet keys, the actual damage was small—but the implications are enormous. We break down how these man-in-the-middle attacks worked, why shadow dependencies are such a big risk, and what tools like pnpm’s minimum release age can do to help. We also discuss whether AI might allow developers to skip quick one-time npm packages entirely, reducing dependency sprawl and potential vulnerabilities.
In the last two weeks there have been two massive worm attacks (causing man-in-the-middle attacks) on npm packages that are used as dependencies in millions of projects. Both were achieved by the attackers gaining access to the admin accounts of package maintainers. The goal seemed to be to steal crypto private keys and drain funds from wallets, even though the attacks were successful, the amount stolen was fairly inconsequential, but this still leads us to talk about the potential consequences that could come from these attacks in the future. And also highlights the dangers of having too many dependencies, especially nested or “shadow dependencies” buried within npm packages within further npm packages.
Links:
