Re: NPM supply chain attack detection?

AntonioSousa · ‎11 Sep 2025

Just wondering how, if, it is possible to detect situations like the one that involved NPM some days ago, with Dynatrace?
https://krebsonsecurity.com/2025/09/18-popular-code-packages-hacked-rigged-to-steal-crypto/

Antonio Sousa

Kenny_Gillette · ‎11 Sep 2025

I was wondering the same thing

Dynatrace Certified Professional

christian_kreuz · ‎12 Sep 2025

If you are monitoring logs of your CI/CD pipeline, NPM Cache / Proxy, or even Renovate, you might be able to find the log output containing one of these malicious packages:

fetch logs
| search "*is-arrayish*"

My advise is to check which systems are monitored, and then narrow down the filters to a specialized query for those systems.

You can then re-use that when the next supply chain attack hits the world.

AntonioSousa · ‎12 Sep 2025

@christian_kreuz ,

Besides being affected or for forensics purposes, I was more wondering about detecting them before being impacted?

Antonio Sousa

christian_kreuz · ‎15 Sep 2025

I am not aware that Dynatrace has a built-in solution that can catch a supply chain attack - at least not in an early stage in the CI/CD pipeline.

One thing that might work into that direction is Runtime Vulnerability Analytics: https://docs.dynatrace.com/docs/secure/application-security/vulnerability-analytics

Though in that case, you already have that vulnerable dependency deployed somewhere, therefore someone might already have successfully exploited the supply chain attack.

Kenny_Gillette · ‎12 Sep 2025

So if I see this then there is still an issue?

Dynatrace Certified Professional

christian_kreuz · ‎15 Sep 2025

You need to check the logs in detail. If you still see a certain dependency in a certain version being used in logs, then it's worthwhile investigating (could be a Pull Request Build, could be a release build, ...).

tfellinger · ‎15 Sep 2025

Hello Antonio,

I'm currently working on a sample workflow that fetches malicious packages from OSV and compares them to monitored entities. It's currently a prototype, but the final version will create detection findings so they appear in the Threats & Exploits app.

Is that going into the direction you're thinking of?

If you'd like to provide feedback I'm happy to share the current version with you.

AntonioSousa · ‎16 Sep 2025

There's another nasty one that has been revealed to happen with 40+ NPM packages:

https://www.stepsecurity.io/blog/ctrl-tinycolor-and-40-npm-packages-compromised

Antonio Sousa

mattia · ‎23 Sep 2025

If you use the Dynatrace module Runtime Vulnerability Analytics, affected packages will also be reported as they belong to our feeds (e.g. Snyk) so you will be notified by RVA if you use packages which are impacted.
This is a great way to democratize ownership of such activities.

If you would like to build a sort of dashboard, it might be useful to build a Notebook used as a runbook (or a dashboard) to keep track. You could check NodeJS components used and their version, here is a nice article from Sam Bernardy detailing the type of notebook you could use
https://www.linkedin.com/pulse/beyond-scan-dynatrace-hunting-shai-hulud-data-samuel-bernardy-rqybc/?...