Original Post: The mysterious supply chain concern of string-width-cjs npm package
The story begins with Sébastien Lorber, the maintainer of Docusaurus, noticing a suspicious change in a Pull Request for the cliui
npm package, which used package aliasing—a feature allowing custom resolution rules for npm packages. While initially harmless, this led to the discovery of potential security risks linked to aliasing. Lorber used the tool lockfile-lint
to find anomalies, revealing suspicious behavior in string-width-cjs
, strip-ansi-cjs
, and wrap-ansi-cjs
packages on npm. These packages were found to be tied to an anonymous user, himanshutester002
, and exhibited characteristics of possible supply chain attacks, like lacking source code and being published anonymously.
Further exploration exposed a network of potentially illegitimate npm packages, hinting at a broader campaign. The packages could be part of an attempt to inflate download numbers or misuse incentives on platforms like Tea, a Web3 token system for monetizing open-source software. This discovery highlights concerns about dependency confusion and supply chain vulnerabilities in npm packages. The ultimate goal of this activity seems to build false legitimacy for these packages to eventually exploit them maliciously.
The article emphasizes the importance of vigilant security practices and provides educational resources for maintaining security while working with open-source software. It questions whether these activities are a supply chain security campaign or an attempt to exploit token incentives, urging the community to remain alert.
Go here to read the Original Post