topic Re: NPM supply chain attack detection? in Open Q&A

NPM supply chain attack detection?

AntonioSousa — Wed, 24 Sep 2025 06:51:42 GMT

Just wondering how, if, it is possible to detect situations like the one that involved NPM some days ago, with Dynatrace?
https://krebsonsecurity.com/2025/09/18-popular-code-packages-hacked-rigged-to-steal-crypto/

Re: NPM supply chain attack detection?

Kenny_Gillette — Thu, 11 Sep 2025 16:55:07 GMT

I was wondering the same thing

Re: NPM supply chain attack detection?

christian_kreuz — Fri, 12 Sep 2025 12:02:19 GMT

If you are monitoring logs of your CI/CD pipeline, NPM Cache / Proxy, or even Renovate, you might be able to find the log output containing one of these malicious packages:

fetch logs | search "*is-arrayish*"

My advise is to check which systems are monitored, and then narrow down the filters to a specialized query for those systems.

You can then re-use that when the next supply chain attack hits the world.

Re: NPM supply chain attack detection?

AntonioSousa — Fri, 12 Sep 2025 12:46:37 GMT

@christian_kreuz ,

Besides being affected or for forensics purposes, I was more wondering about detecting them before being impacted?

Re: NPM supply chain attack detection?

Kenny_Gillette — Fri, 12 Sep 2025 13:03:20 GMT

So if I see this then there is still an issue?

Re: NPM supply chain attack detection?

christian_kreuz — Mon, 15 Sep 2025 06:14:27 GMT

I am not aware that Dynatrace has a built-in solution that can catch a supply chain attack - at least not in an early stage in the CI/CD pipeline.

One thing that might work into that direction is Runtime Vulnerability Analytics: https://docs.dynatrace.com/docs/secure/application-security/vulnerability-analytics

Though in that case, you already have that vulnerable dependency deployed somewhere, therefore someone might already have successfully exploited the supply chain attack.

Re: NPM supply chain attack detection?

christian_kreuz — Mon, 15 Sep 2025 06:18:39 GMT

You need to check the logs in detail. If you still see a certain dependency in a certain version being used in logs, then it's worthwhile investigating (could be a Pull Request Build, could be a release build, ...).

Re: NPM supply chain attack detection?

tfellinger — Mon, 15 Sep 2025 13:50:20 GMT

Hello Antonio,

I'm currently working on a sample workflow that fetches malicious packages from OSV and compares them to monitored entities. It's currently a prototype, but the final version will create detection findings so they appear in the Threats & Exploits app.

Is that going into the direction you're thinking of?

If you'd like to provide feedback I'm happy to share the current version with you.

Re: NPM supply chain attack detection?

AntonioSousa — Tue, 16 Sep 2025 20:25:25 GMT

There's another nasty one that has been revealed to happen with 40+ NPM packages:

https://www.stepsecurity.io/blog/ctrl-tinycolor-and-40-npm-packages-compromised

Re: NPM supply chain attack detection?

mattia — Tue, 23 Sep 2025 13:27:14 GMT

If you use the Dynatrace module Runtime Vulnerability Analytics, affected packages will also be reported as they belong to our feeds (e.g. Snyk) so you will be notified by RVA if you use packages which are impacted.
This is a great way to democratize ownership of such activities.

If you would like to build a sort of dashboard, it might be useful to build a Notebook used as a runbook (or a dashboard) to keep track. You could check NodeJS components used and their version, here is a nice article from Sam Bernardy detailing the type of notebook you could use
https://www.linkedin.com/pulse/beyond-scan-dynatrace-hunting-shai-hulud-data-samuel-bernardy-rqybc/?trackingId=D2fFwU3NRqSLIstq4duPiw%3D%3D