Hiking-Logbook

Security Audit Report: NPM Supply Chain Attack (Debug & Chalk)

Summary

This report documents a significant NPM supply chain attack that compromised 18 popular packages, including debug and chalk, through a phishing attack on a maintainer’s account. The attack resulted in malicious code being injected into legitimate packages, targeting crypto/web3 wallet activity.

1. What Caused the Supply Chain Attack? (Point of Failure)

The point of failure was the compromise of a maintainer’s NPM account through a phishing email:

• The maintainer received an email from a fake domain (npmjs.help) impersonating NPM support
• After entering credentials, attackers gained unauthorized access to the maintainer’s account
• With maintainer access, attackers published new malicious versions of legitimate packages
• The compromised versions included obfuscated code in files like index.js that executed in client browsers
• The malicious code silently intercepted crypto/web3 wallet activity and redirected funds

2. List of Compromised Packages and Their Versions

According to the Aikido blog report, the following 18 packages were compromised:

Package	Compromised Version
backslash	0.2.1
chalk-template	1.1.1
supports-hyperlinks	4.1.1
has-ansi	6.0.1
simple-swizzle	0.2.3
color-string	2.1.1
error-ex	1.3.3
color-name	2.0.1
is-arrayish	0.3.3
slice-ansi	7.1.1
color-convert	3.1.1
wrap-ansi	9.0.1
ansi-regex	6.2.1
supports-color	10.2.1
strip-ansi	7.1.1
chalk	5.6.1
debug	4.4.2
ansi-styles	6.2.2

3. Report of Our Packages

Frontend Audit Results

Status: NOT COMPROMISED by the supply chain attack

Audit Summary:

• 9 vulnerabilities found (3 moderate, 6 high)
• No compromised packages from the supply chain attack detected
• Vulnerabilities are in build tools (nth-check, postcss, webpack-dev-server)

Current Vulnerabilities:

• nth-check <2.0.1 (high) - Inefficient Regular Expression Complexity
• postcss <8.4.31 (moderate) - PostCSS line return parsing error
• webpack-dev-server <=5.2.0 (moderate) - Source code theft vulnerabilities

Backend Audit Results

Status: CLEAN - No vulnerabilities found

Audit Summary:

• 0 vulnerabilities found
• No compromised packages from the supply chain attack detected
• Backend dependencies are secure

Overall Risk Assessment

• No compromised packages from the supply chain attack found in either frontend or backend
• Frontend has other security vulnerabilities in build tools (not supply chain related)

4. Report of Our Packages’ Packages (Sub-dependencies)

Sub-dependency Analysis

Status: SAFE - No compromised packages found in sub-dependencies

Frontend Sub-dependency Check:

• debug found: 4.4.1 (SAFE - not the compromised 4.4.2)
• chalk found: 4.1.2 (SAFE - not the compromised 5.6.1)
• ansi-styles found: 4.3.0, 5.2.0, 6.2.1 (SAFE - not the compromised 6.2.2)
• color-convert found: 1.9.3, 2.0.1 (SAFE - not the compromised 3.1.1)
• color-name found: 1.1.3, 1.1.4 (SAFE - not the compromised 2.0.1)
• supports-color found: 5.5.0, 7.2.0, 8.1.1 (SAFE - not the compromised 10.2.1)
• strip-ansi found: 6.0.1, 7.1.0 (SAFE - not the compromised 7.1.1)
• ansi-regex found: 5.0.1, 6.1.0, 6.2.0 (SAFE - not the compromised 6.2.1)
• wrap-ansi found: 7.0.0, 8.1.0, 9.0.0 (SAFE - not the compromised 9.0.1)
• error-ex found: 1.3.2 (SAFE - not the compromised 1.3.3)
• is-arrayish found: 0.2.1 (SAFE - not the compromised 0.3.3)
• slice-ansi found: 5.0.0, 7.1.0 (SAFE - not the compromised 7.1.1)
• supports-hyperlinks found: 2.3.0 (SAFE - not the compromised 4.1.1)

Backend Sub-dependency Check:

• debug found: 2.6.9, 4.4.1 (SAFE - not the compromised 4.4.2)
• chalk found: 4.1.2 (SAFE - not the compromised 5.6.1)
• ansi-styles found: 4.3.0, 5.2.0, 6.2.1 (SAFE - not the compromised 6.2.2)
• color-convert found: 2.0.1 (SAFE - not the compromised 3.1.1)
• color-name found: 1.1.4 (SAFE - not the compromised 2.0.1)
• supports-color found: 5.5.0, 7.2.0, 8.1.1 (SAFE - not the compromised 10.2.1)
• strip-ansi found: 6.0.1, 7.1.0 (SAFE - not the compromised 7.1.1)
• ansi-regex found: 5.0.1, 6.2.0 (SAFE - not the compromised 6.2.1)
• wrap-ansi found: 7.0.0, 8.1.0 (SAFE - not the compromised 9.0.1)
• error-ex found: 1.3.2 (SAFE - not the compromised 1.3.3)

• is-arrayish found: 0.2.1 (SAFE - not the compromised 0.3.3)

• No compromised packages found in any sub-dependencies
• All found packages are using older, secure versions

5. Measures to Avoid Being Infected by Upstream Packages (Protecting Against Supply Chain Attacks)

Immediate Actions

1. Use Lock Files: Ensure package-lock.json files are committed and used to pin dependencies to exact versions
2. Run Security Audits: Execute npm audit regularly and address all vulnerabilities
3. Automated Scanning: Implement tools like:
   • Socket.dev for real-time monitoring
   • GitHub Dependabot for automated updates

Package Selection Criteria

• Prefer Well-Maintained Libraries: Choose packages with active communities and regular updates
• Avoid Abandoned Packages: Steer clear of packages with no recent commits or updates
• Check Download Counts: Be cautious with packages that have very low download counts
• Review Package Maintainers: Verify the reputation and activity of package maintainers

Regular Monitoring

• Dependency Audits: Run npm audit before each deployment
• Dependency Tree Review: Regularly review npm ls output for unexpected packages

6. Measures to Avoid Your Product Being Infected (Protecting Your Own Project)

Development Security

1. Dependency Review Policies: Implement mandatory review processes before adding new packages
2. Static Analysis: Use tools to detect obfuscated or suspicious code in dependencies
3. Sandbox Testing: Test new dependencies in isolated environments before production use
4. Runtime Monitoring: Monitor application runtime for unexpected network calls or behavior

CI/CD Security Implementation

1. Security Scans: Integrate security scanning into CI/CD pipelines
2. Automated Testing: Run security tests as part of the build process
3. Dependency Updates: Implement automated, controlled dependency updates

8. Conclusion

This supply chain attack highlights the critical importance of dependency security in software development.

The key takeaway is that security is not just about protecting your own code, but also about carefully managing and monitoring all external dependencies throughout their lifecycle.

---