Supply chain attack on NPM qix

Description

Recently, a widespread supply chain attack via NPM was discovered. Specifically, the NPM account of the well-known developer qix was compromised, allowing the attacker to publish dozens of maliciously injected packages such as chalk, strip-ansi, and color-convert, which have collectively been downloaded billions of times.

Although the incident has been identified and contained, developers and system administrators are strongly encouraged to audit their projects and systems to check whether any of the compromised packages have been used.

Affected Versions

• backslash@0.2.1
• chalk@5.6.1
• chalk-template@1.1.1
• color-convert@3.1.1
• color-name@2.0.1
• color-string@2.1.1
• wrap-ansi@9.0.1
• supports-hyperlinks@4.1.1
• strip-ansi@7.1.1
• slice-ansi@7.1.1
• simple-swizzle@0.2.3
• is-arrayish@0.3.3
• error-ex@1.3.3
• has-ansi@6.0.1
• ansi-regex@6.2.1
• ansi-styles@6.2.2
• supports-color@10.2.1
• proto-tinker-wc@1.8.7
• debug@4.4.2
• Other packages that depend on or include these affected modules may also be impacted.

Remediation Measures

• Audit project dependencies and system packages to identify any use of the affected modules.
• Verichains has released a quick scanning tool to assist with detection. You can find it here.
• Use the overrides feature in package.json to pin the affected packages to the last known safe versions (or newer versions that have been verified as clean).

References

• https://github.com/verichains/npm-scanner
• https://jdstaerk.substack.com/p/we-just-found-malicious-code-in-the
• https://socket.dev/blog/npm-author-qix-compromised-in-major-supply-chain-attack