MICROSOFT has reported a supply chain attack targeting the _@antv_ npm packages, where a compromised maintainer account published malicious versions of popular data-visualization libraries. This led to credential theft in CI/CD environments, impacting packages with significant downstream usage like _echarts-for-react_.
The malicious payload, an obfuscated JavaScript file, stealthily executes during npm installations, aiming for multi-platform credential extraction from services like GitHub, AWS, HashiCorp Vault, and Kubernetes. GitHub swiftly responded by removing 640 malicious packages and invalidating over 61,000 exposed tokens. To mitigate the risks, Microsoft recommends dependency audits, credential rotation, and disabling installation script executions via npm. The report also outlines specific attack methods, including privilege escalation and data exfiltration strategies.