![](\"https:\/\/i0.wp.com\/d1v1e13ebw3o15.cloudfront.net\/data\/92179\/pool_and_spa_logo\/..jpg?ssl=1\")
<\/p>\nTenable Research<\/a> has uncovered a supply chain attack on the npm Registry which the company said demonstrates the speed at which modern supply chain risks can propagate.<\/p>\n The npm Registry is a public collection of packages of open-source code for Node.js, including front-end web apps, mobile apps, robots, routers and other tools used by JavaScript developers.<\/p>\n The attack uncovered by Tenable researchers involved uploading a malicious package to the registry that was designed to mimic a popular existing package to infect developers\u2019 systems across Windows, macOS and Linux. In the mere five hours before it was removed, the malicious package was downloaded around 50,000 times, Tenable Research said. The threat is unique in that it did not require a developer to run any code to fall victim to the attack.<\/p>\n The moment a command to install the package is typed, a hidden preinstall script automatically runs in the background and is used to identify the victim\u2019s system and install the malware.<\/p>\n Unlike legitimate software that has been compromised, the spoofed program\u2019s only purpose is to deliver the malware, according to Tenable Director for Research Ari Eitan. The malware also uses multiple techniques to evade detection, and the installed malware is capable of exfiltrating sensitive data including screenshots and passwords.<\/p>\n \u201cDevelopers often assume that if a package is available on a public registry it is safe to download,\u201d he said.\u00a0\u201cBy hiding the attack inside the installation process, hackers ensure they are inside your system before you\u2019ve even had a chance to verify the code,\u201d he said.<\/p>\n More information about amber-src can be found here<\/a>.<\/p>\n