Malicious Code in Dependencies

Typosquatting attacks create malicious packages with names similar to popular legitimate packages. Attackers rely on developer typos during installation to distribute malware. The npm ecosystem has seen numerous such attacks, with malicious packages sometimes remaining undetected for months. These packages often exfiltrate environment variables, cryptocurrency wallets, or source code from infected systems.

Compromised maintainer accounts represent another vector for injecting malicious code into legitimate packages. When attackers gain access to maintainer credentials through phishing, credential stuffing, or social engineering, they can publish malicious updates to trusted packages. The event-stream incident demonstrated this approach, where attackers specifically targeted a package used by cryptocurrency applications to steal funds.

Supply chain injection attacks involve compromising the build or distribution infrastructure of legitimate projects. Attackers might modify source repositories, compromise build servers, or replace packages in transit. The CCleaner attack showed how compromising build infrastructure can distribute malware to millions of users through trusted software update channels. In the dependency context, such attacks can propagate rapidly through the software supply chain.