This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
FAQ
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

NPM supply chain attack detection?

AntonioSousa
DynaMight Guru
DynaMight Guru

‎11 Sep 2025 05:32 PM

Just wondering how, if, it is possible to detect situations like the one that involved NPM some days ago, with Dynatrace?
https://krebsonsecurity.com/2025/09/18-popular-code-packages-hacked-rigged-to-steal-crypto/

 

Antonio Sousa
Labels:
Reply
8 REPLIES 8

Kenny_Gillette
DynaMight Leader
DynaMight Leader

‎11 Sep 2025 05:55 PM

I was wondering the same thing

Dynatrace Certified Professional
0 Kudos
Reply

christian_kreuz
Dynatrace Advisor
Dynatrace Advisor

‎12 Sep 2025 01:02 PM

 

If you are monitoring logs of your CI/CD pipeline, NPM Cache / Proxy, or even Renovate, you might be able to find the log output containing one of these malicious packages:

fetch logs
| search "*is-arrayish*"

 

My advise is to check which systems are monitored, and then narrow down the filters to a specialized query for those systems.

You can then re-use that when the next supply chain attack hits the world.

Reply

AntonioSousa
DynaMight Guru
DynaMight Guru
In response to christian_kreuz

‎12 Sep 2025 01:46 PM

@christian_kreuz ,

Besides being affected or for forensics purposes, I was more wondering about detecting them before being impacted?

Antonio Sousa
0 Kudos
Reply

christian_kreuz
Dynatrace Advisor
Dynatrace Advisor
In response to AntonioSousa

‎15 Sep 2025 07:14 AM

I am not aware that Dynatrace has a built-in solution that can catch a supply chain attack - at least not in an early stage in the CI/CD pipeline.

One thing that might work into that direction is Runtime Vulnerability Analytics: https://docs.dynatrace.com/docs/secure/application-security/vulnerability-analytics

Though in that case, you already have that vulnerable dependency deployed somewhere, therefore someone might already have successfully exploited the supply chain attack.

0 Kudos
Reply

Kenny_Gillette
DynaMight Leader
DynaMight Leader
In response to christian_kreuz

‎12 Sep 2025 02:03 PM

So if I see this then there is still an issue?

Dynatrace Certified Professional
0 Kudos
Reply

christian_kreuz
Dynatrace Advisor
Dynatrace Advisor
In response to Kenny_Gillette

‎15 Sep 2025 07:18 AM

You need to check the logs in detail. If you still see a certain dependency in a certain version being used in logs, then it's worthwhile investigating (could be a Pull Request Build, could be a release build, ...).

0 Kudos
Reply

tfellinger
Dynatrace Promoter
Dynatrace Promoter

‎15 Sep 2025 02:50 PM

Hello Antonio,

I'm currently working on a sample workflow that fetches malicious packages from OSV and compares them to monitored entities. It's currently a prototype, but the final version will create detection findings so they appear in the Threats & Exploits app.

Is that going into the direction you're thinking of?

If you'd like to provide feedback I'm happy to share the current version with you.

0 Kudos
Reply

AntonioSousa
DynaMight Guru
DynaMight Guru

‎16 Sep 2025 09:25 PM

There's another nasty one that has been revealed to happen with 40+ NPM packages:

https://www.stepsecurity.io/blog/ctrl-tinycolor-and-40-npm-packages-compromised

Antonio Sousa
0 Kudos
Reply
Ask a question

Featured Posts