Maintainer Account Takeover Hits NPM Packages in Supply Chain Attack

A major supply chain attack targeting NPM packages has compromised numerous projects following a series of maintainer account takeovers. Attackers used automated credential scanners to locate secret keys exposed in public systems, including continuous integration (CI) environments. These credentials were then exploited to inject trojan-like scripts into legitimate packages, which were republished and distributed across the ecosystem.

The modified packages have the potential to infect any application that installs them, posing serious risks across development and production environments. At least 40 NPM packages have been confirmed compromised, according to multiple sources, including The Hacker News, Socket.dev, Aikido, and Wiz.io.

Though the attack has so far focused on the NPM ecosystem, experts warn the technique could be replicated across other package repositories.

Drupal's Security Team issued a public service announcement (PSA) on September 17, 2025, confirming the threat and urging site owners to take proactive steps. The PSA, reported by Nic Laflin, reinforces that site owners are responsible for monitoring and securing third-party libraries and non-Drupal components. Recommended mitigations include the use of Software Bills of Materials (SBOMs), scanning services, Content Security Policies (CSP), and Subresource Integrity (SRI).

Drupal’s own infrastructure and core codebase are not believed to be affected, based on assessments by the project’s maintainers and security team. The situation remains under close watch, and updates are expected as more information emerges.

For ongoing updates and resources, visit: https://www.drupal.org/psa-2025-09-17