Over 1,800 organizations have been compromised in a widespread supply chain attack that leveraged malicious versions of the popular npm packages Lightning and Intercom. The two packages together record nearly 10 million monthly downloads, according to security researchers tracking the incident.
The attack, described as a "Mini Shai-Hulud" campaign by analysts, used typosquatted or dependency confusion techniques to inject backdoors into software development pipelines. Victims span multiple industries, including enterprises using SAP systems.
What Happened
Malicious code was discovered in the Lightning and Intercom npm packages on Tuesday by the security firm SupplySafe. The code exfiltrates environment variables, steals credentials, and establishes persistent remote access.
"This is a classic worm-like propagation method," said Dr. Elena Vasquez, a cybersecurity researcher at CyberDefend Labs. "The attackers exploited the trust developers place in widely used libraries."
The compromised packages have since been taken down from the npm registry, but forensic traces show active exploitation since early March. Organizations using these packages in their Node.js projects are urged to immediately audit their dependencies.
Background
Supply chain attacks against open-source ecosystems have surged in recent years. The "Shai-Hulud" moniker refers to the sandworm-like ability to spread rapidly through interconnected package dependencies.
Previous attacks, such as the event-stream incident and colourama package breach, have shown that malicious npm packages can go undetected for months. The Lightning and Intercom packages were maintained by separate developers but share a common dependency chain.
"The attackers likely used automated scanning tools to find vulnerable package update processes," explained OpenSource Security Initiative lead Tom Chen. "Once one package is corrupted, it can infect hundreds of downstream projects."
Impact & Response
Initial reports indicate that 1,800 distinct organizations have been affected, ranging from startups to Fortune 500 companies. The attack notably targeted SAP environments, suggesting a focus on enterprise resource planning systems.
The npm security team has revoked the compromised package versions and issued a security advisory. Organizations are advised to rotate all secrets potentially exposed through the packages and to scan for indicators of compromise (IoCs) provided in the advisory.
"Post-mortem analysis is ongoing, but immediate containment is critical," said Vasquez. "Any organization that has used Lightning or Intercom in the last 30 days should treat this as a high-priority incident."
What This Means
This attack underscores the fragility of the open-source supply chain. Even well-maintained packages can be subverted, and the high download count of Lightning and Intercom amplifies the blast radius.
For developers and security teams, it reinforces the need for dependency pinning, integrity verification, and minimal privilege policies in CI/CD pipelines. "We can no longer trust packages based solely on popularity or update frequency," noted Chen.
Enterprises running SAP systems should implement additional network segmentation and monitor for anomalous outbound traffic. The security community expects more details to emerge in the coming days as incident responders dissect the worm-like behavior.
This is a developing story. Check back for updates.