← Back to blog

5 npm Supply Chain Attacks That Should Keep You Up at Night

npm audit checks for known CVEs. It does nothing against supply chain attacks — the fastest-growing threat vector in open source. Here are 5 real attacks and what they teach us.

1. event-stream (2018)

A maintainer handed off a popular package to a stranger. The new maintainer added a dependency (flatmap-stream) containing an encrypted payload targeting Copay Bitcoin wallets. 8 million weekly downloads compromised.

Detection signal: New maintainer + new dependency added in same release.

2. ua-parser-js (2021)

The legitimate maintainer's npm account was hijacked. Malicious versions were published with cryptominers and credential stealers. 7 million weekly downloads.

Detection signal: Suspicious install scripts in a package that never had them.

3. colors & faker (2022)

The maintainer intentionally sabotaged their own packages, adding infinite loops that broke thousands of projects including AWS CDK. Not malware — but a supply chain integrity failure.

Detection signal: Sudden code change with no semver-appropriate version bump.

4. Typosquatting Campaigns (Ongoing)

Packages like lodahs, crossenv, and babelcli impersonate popular packages. Over 700 typosquat packages were removed from npm in 2023 alone.

Detection signal: Package name with Levenshtein distance ≤2 from a popular package.

5. node-ipc (2022)

The maintainer of node-ipc (used by Vue CLI) added code that overwrote files on machines with Russian or Belarusian IP addresses. Protestware as supply chain weapon.

Detection signal: Network calls or filesystem writes in postinstall scripts.

How DriftGuard Detects These

DriftGuard's supply_chain_scan tool checks for:

Protect Your Supply Chain

npx @claytivi/driftguard-mcp init

Supply chain scanning is available on Pro tier and above.