DEV Community

Cover image for 24 Hours of Chaos: Saving My Open Source Project from a Supply Chain Attack (plain-crypto-js)
Pau Dang
Pau Dang

Posted on

24 Hours of Chaos: Saving My Open Source Project from a Supply Chain Attack (plain-crypto-js)

#webdev #security #node

Hello world,

I'm a Senior SE. Today, I want to share a "battle-tested" experience that just happened to my open-source project: nodejs-quickstart-structure.

This isn't just about code; it’s a lesson in Incident Response when facing professional malware designed to hijack npm, GitHub, and sensitive developer credentials.

1. The Threat: Axios & plain-crypto-js

While developing version v2.0.0, I fell victim to a Typosquatting attack. A malicious package or a "shell" dependency injected malware into my local environment.

  • The Suspect: Linked to the plain-crypto-js incident (a malware variant targeting devs using Axios).
  • The Behavior: It didn't just break my system; it silently exfiltrated:
    • Browser Cookies: Hijacking active sessions for Gmail, GitHub, and LinkedIn.
    • SSH Keys: Gaining unauthorized access to push code to repositories.
    • npm Tokens: Attempting to publish malicious releases under my name.

2. 0h00: Detection & Containment

Immediately after noticing suspicious logs and file modifications, I followed the "Security Textbook" or you can check at Axios npm Package Compromised: Supply Chain Attack Delivers Cross-Platform RAT:

  1. Deleted Local Repos: Wiped the execution environment of the malware.
  2. Revoked All Sessions: Used a clean device (mobile) to remotely sign out of Google, GitHub, Microsoft, and LinkedIn.
  3. Untrusted Devices: Removed my current machine from the "Trusted Devices" list of all critical accounts.

3. The Battle for npm (The Support Battle)

The worst-case scenario: The attacker hijacked the session and invalidated my 2FA (my stored Recovery Codes returned Invalid).

I immediately contacted npm Support:

  • Ticket ID: 4223695 was created.

  • The Strategy: Providing proof of ownership through my GitHub account (which I still control) and the project's long-standing commit history.

4. The Decision: Eradication (Wipe & Rebuild)

As an Architect, I know that if an OS is compromised by a Rootkit/Trojan, no antivirus can guarantee a 100% clean state. The only solution: Wipe & Rebuild.

  • The Method: Reset PC > Remove everything > Cloud download Windows.
  • Why Cloud Download? To ensure a fresh installation image directly from Microsoft, avoiding any malware lurking in the local Recovery partition.

5. Lessons Learned for Developers

  1. Dependency Vigilance: Always double-check new packages, especially those with names similar to popular libraries.
  2. 2FA is Not Enough: Attackers can bypass 2FA via Session Hijacking. Always be ready to Revoke Sessions remotely.
  3. Offline Recovery Codes: Don't just store them on your computer. Print them or use a decoupled password manager.
  4. Incident Response Mindset: When hacked, stay calm and follow: Containment -> Asset Protection -> Eradication -> Recovery.

Currently, I am in the process of restoring a "sterile" environment to finalize v2.0.0 for nodejs-quickstart-structure. You can check out the v2.0.0 beta details here:

Next gen Web UI - Browser Generator

The project will return with a higher security standard. I hope this story helps fellow developers protect their "digital children"!

Top comments (0)