Supply-Chain Attack Compromises 490+ NPM Packages With 132 Million Monthly Downloads

A supply-chain breach has infected over 490 npm packages recording 132 million monthly downloads, targeting libraries linked to Ethereum Name Service, Zapier, and other cryptocurrency platforms, according to Aikido Security. The malware steals developer credentials and GitHub tokens during installation. If stolen credentials provide access to code repositories, attackers can breach additional accounts and distribute more compromised packages, enabling autonomous spread.