Many of our clients are aware of recent Node Package Manager (NPM) supply chain attacks and so we felt it was appropriate to address our response.
First, on September 8, an NPM package maintainer was phished, leading to the compromise of 18 popular NPM packages.
Then, just a week later, hundreds of other packages were compromised in what became known as the Shai Hulud attack.
As a web application and website development agency, we use NPM extensively. So it’s worth providing some background and our response.
First, some background:
What is Node Package Manager (NPM)?
Node Package Manager (NPM) is the default package manager for JavaScript, providing developers with a central repository to install, manage, and share open-source libraries and tools for building modern applications efficiently.
What is a Supply Chain Attack?
A supply chain attack occurs when malicious actors compromise trusted third-party components such as software libraries, packages, or services in order to distribute harmful code downstream to developers and end users.
How did Workhorse respond to these attacks?
Workhorse responded immediately to assess the impact on our projects and clients, combining manual audits with automated scans using one of our essential security tools, Snyk, and we were able to confirm and report that none of the compromised NPM packages had been deployed to any client or internal projects.
What does Workhorse do to prevent and respond quickly to these types of threats?
To stay secure, Workhorse uses Snyk and other tools for continuous vulnerability scanning, conducts regular dependency audits, and enforces strict best practices for package management to both prevent and quickly respond to supply chain threats.
In addition, Workhorse is SOC2 Type 2 compliant, and are observed year round to ensure that we are adhering to the highest security, privacy, and compliance standards for our customers.