Skip to content

Supply chain malware triage (NPM/PyPI/RubyGems)

When an advisory indicates a package contains embedded malicious code, treat the host as potentially compromised.

Heuristic: if an untrusted package executed install scripts or ran arbitrary code, assume secrets are burned.

Immediate response checklist

1) Contain

  • Stop the affected workload (CI runner, dev machine, container, server).
  • Preserve evidence:
  • process list
  • network connections
  • package lockfiles
  • npm/pip logs
  • shell history (as applicable)

2) Identify exposure

  • Search for the package name across:
  • package.json, package-lock.json, yarn.lock, pnpm-lock.yaml
  • CI caches and build images

  • artifact registries

  • Determine whether it could have executed:

  • install scripts (preinstall, install, postinstall)
  • build steps that run JS/Python/Ruby

3) Rotate secrets (from a clean machine)

Rotate anything that might have been accessible to the compromised environment:

  • CI tokens (GitHub Actions, GitLab, Circle)
  • Cloud credentials (AWS/GCP/Azure)
  • SSH keys
  • NPM/PyPI tokens
  • Database credentials
  • Application secrets (JWT signing keys, session secrets)

4) Eradicate + rebuild

  • Prefer re-imaging over “remove the package”.
  • Rebuild artifacts in a clean, ephemeral environment.
  • Pin dependencies and enable provenance controls (see below).

Hardening recommendations

  • Prefer lockfiles committed to source control.
  • Enforce dependency policies:
  • block unknown registries
  • require maintainer allowlists for critical projects
  • Use ephemeral CI runners (clean per job) and disable shared caches for sensitive steps.
  • Enable:
  • npm ignore-scripts where feasible
  • SLSA provenance / build attestations
  • SBOM generation and scanning

Quick detection tips

  • npm ls <pkg> to find dependency paths.
  • Search logs for suspicious child processes: curl, wget, powershell, bash -c.
  • Watch for unusual DNS/HTTP beacons during install/build.

References

  • GitHub Security Advisory feed frequently flags malware-in-package events. Treat “Any computer that has this package installed or running should be considered fully compromised” as a real incident response trigger.