“Rather than working to compromise one company and being uncertain of the payoff, threat actors can compromise one developer and end up with their malware in hundreds, or even thousands of other companies,” said Gannon.
“Even if it takes ten times longer to compromise a developer, the payoff can be well over ten times what could have been made by compromising ten other companies in that same time period,” he pointed out.
What to do
In Hyslip’s view, beyond mandating multi-factor authentication (MFA) for maintainer accounts, developers should lock down dependencies using package-lock.json to stop malicious updates being applied across the dependency tree without the developer being aware. It is also a good idea to use tools to track installed versions, while relating these to known security vulnerabilities, he said.
