SOOS

Modern AppSec

Close up of green computer text with hacked in red in the middle

NPM Packages Hacked: What You Need to Know

News Open Source

On September 8th, the Node.js ecosystem was hit by one of the most widespread supply chain attacks ever reported. A malicious actor poisoned numerous npm packages, compromising thousands of developers and organizations. This incident is another stark reminder: your software supply chain is only as secure as its weakest dependency.

Why This Matters

Modern applications lean heavily on open-source dependencies. Each dependency often pulls in dozens—or hundreds—of transitive dependencies. This creates an enormous and largely opaque supply chain surface area. Attacks like the npm hijack show just how easy it is for malicious code to slip in unnoticed unless you’re watching closely.

That’s why continuous monitoring is non-negotiable. Tools like Software Composition Analysis (SCA), Container Analysis, and SBOM Analysis are essential to identifying and mitigating threats before they spread.

How SOOS Helps

SOOS detects and manages malicious packages across your source, container, and SBOM assets using our patented SCA engine. When a malicious package is found, SOOS automatically creates an issue with one of two severities:

  • Critical: A malicious version is present somewhere in your dependency tree. You must upgrade (or downgrade) to a safe version immediately.
  • Info: Malicious versions exist, but the version you are using is not a known malicious variant. This is a signal to stay alert to prevent accidental adoption.

Protecting Against Accidental Upgrades

Even if you’re not currently affected, the risk of accidentally upgrading into a poisoned version is real. SOOS Package Policies allow you to explicitly block specific malicious versions. Combined with our “break the build” option, you can configure your CI/CD pipeline to fail fast if a risky package slips in.

Tracing Introduction Paths

Supply chain compromises are rarely simple. A malicious package may creep into your project through multiple introduction paths. The SOOS dependency tree helps you quickly identify exactly where—and how—bad versions are entering your environment, making cleanup and upgrades more targeted and efficient.

Smarter Notifications

Not every issue should trigger the same level of response. SOOS lets you set granular notification rules by issue type and severity. Whether you prefer email, Slack, or Microsoft Teams, you’ll always know when something critical demands immediate attention.

Think You Might Be Affected?

If you want to verify your projects now, SOOS offers a free 30-day fully featured trial (no credit card required) for up to 10 projects. Get started here: https://app.soos.io/register.

Once registered, you can:

  • Run a GitHub QuickScan (for GitHub users)
  • Install the SOOS SCA CLI to scan anywhere
  • Use one of our pre-configured CI/CD integrations

Set-up takes just minutes, and your first scan could save you from a devastating supply chain compromise.

Check out more articles

Things to Worry About in Software M&A

Things to Worry About in Software M&A

The Purpose and Process of Software Due Diligence

The Purpose and Process of Software Due Diligence

Managing OSS for Mergers and Acquisitions

Managing OSS for Mergers and Acquisitions

Open Source Licenses Types and Issues (OSS)

Open Source Licenses Types and Issues (OSS)

PackageAware Receives LaunchVT Investor Award

PackageAware Receives LaunchVT Investor Award

What Is Bower?

What Is Bower?

BSD vs MIT License

BSD vs MIT License

10 Ways to Make GitHub Safe

10 Ways to Make GitHub Safe

Docker Vulnerabilities and Security Risks

Docker Vulnerabilities and Security Risks

Supply Chain Attacks – Defend Against Dependency Substitution and Typosquatting

Supply Chain Attacks – Defend Against Dependency Substitution and Typosquatting

Sooster

Don’t ignore your open
source code any longer

Sign up now