Back to All Scenarios
PASSEDsecurity / supply_chain_compromise
Supply Chain Compromise — Malicious NPM Package
A popular NPM package used across the organization's Node.js microservices is compromised via a maintainer account takeover. The malicious version exfiltrates environment variables (including database credentials and API keys) to an attacker-controlled endpoint. The compromised package was automatically pulled in during a routine CI/CD build.
Pattern
UNKNOWN
Severity
CRITICAL
Confidence
95%
Remediation
Remote Hands
Test Results
| Metric | Expected | Actual | Result |
|---|---|---|---|
| Pattern Recognition | UNKNOWN | UNKNOWN | |
| Severity Assessment | CRITICAL | CRITICAL | |
| Incident Correlation | Yes | 42 linked | |
| Cascade Escalation | Yes | Yes | |
| Remediation | — | Remote Hands — Corax contacts on-site support via call, email, or API |
Scenario Conditions
NPM package '@acme/shared-utils' v3.2.1 compromised (maintainer account hijacked). Package used by 14 microservices. CI/CD pipeline auto-installed latest minor version. Malicious postinstall script runs on npm install. Exfiltrates process.env to external endpoint. 6 production services already deployed with malicious version.
Injected Error Messages (3)
CI/CD pipeline security alert — npm audit found HIGH severity advisory in '@acme/shared-utils@3.2.1': compromised package, malicious postinstall script detected, script exfiltrating environment variables via encoded POST request, package maintainer account compromised, 14 microservice builds affected, 6 builds already deployed to production in last 4 hours, lockfile integrity check: FAILED
Suricata IDS: suspicious outbound data exfiltration — 6 production containers making POST requests to cdn-analytics-collector.evil.com (IP: 45.133.1.71), payload contains base64-encoded environment variable dumps, detected secrets in exfiltrated data: DATABASE_URL, API_KEY, JWT_SECRET, STRIPE_SECRET_KEY, total exfiltration events: 847 in last 4 hours, ET signature: 'Possible NPM Supply Chain Attack Data Exfiltration'
Production services compromised — 6 ECS tasks running malicious '@acme/shared-utils@3.2.1', process.env exfiltrated including production database credentials and third-party API keys, Stripe API key potentially compromised (sk_live_...), all production secrets must be considered breached, 14 services require emergency rebuild with pinned package versions, incident response: credential rotation required for all exposed secrets
Neural Engine Root Cause Analysis
The CI/CD pipeline has been compromised through a malicious npm package '@acme/shared-utils@3.2.1' containing a postinstall script that exfiltrates environment variables. The package maintainer's account was compromised, leading to injection of malicious code that steals sensitive data during builds. This has affected 14 microservice builds with 6 already deployed to production, creating a critical security breach with potential exposure of secrets, API keys, and environment configurations.
Remediation Plan
1. IMMEDIATE: Block all CI/CD pipeline executions and quarantine affected builds. 2. Revoke and rotate all environment variables, API keys, secrets, and credentials that may have been exposed in the last 4 hours. 3. Roll back the 6 production deployments that used the compromised package immediately. 4. Remove '@acme/shared-utils@3.2.1' from all package.json files and lockfiles. 5. Update to a verified clean version of the package or implement alternative dependency. 6. Conduct security audit of all systems that may have been accessed with the exfiltrated credentials. 7. Review and strengthen supply chain security policies including package verification and dependency scanning. 8. Monitor for any unauthorized access or data exfiltration using the compromised credentials.
Tested: 2026-03-30Monitors: 3 | Incidents: 3Test ID: cmncjwhxz05c0obqe5l4kz5hk