September 2025 NPM supply chain attacks and builds of Hadoop. There have been two attacks on developers through subverted npm artifacts the month.
The first npm supply chain attack of September was against files used in the node.js part of our distros -the yarn application catalog. https://www.aikido.dev/blog/npm-debug-and-chalk-packages-compromised Here's the dependency list of compromised artifacts we have in trunk and all previous branches "chalk": "1.1.1", "color": "^3.1.3", "color-convert": "^1.9.3", "color-name": "1.1.3" "color-string": "^1.6.0" "simple-swizzle": "^0.2.2" These are all from hadoop-yarn-project/hadoop-yarn/hadoop-yarn-applications/hadoop-yarn-applications-catalog/hadoop-yarn-applications-catalog-webapp/package.json , This manifest hasn't been updated since 2023. None of these are on the exposed list, but any developer playing with later versions of the libraries should consider themselves as at risk. Note: this was node.js supply chain attack #1 this week, which only went for crypto-currency secrets. Attack #2 is in a different league as it goes for all cloud credentials and so is designed to allow a sideways move into the rest of an organisation's infra and full ransomware/secret theft: Popular Tinycolor npm Package Compromised in Supply Chain Attack Affecting 40+ Packages. <https://socket.dev/blog/tinycolor-supply-chain-attack-affects-40-packages> Where are we? 1. Although primarily java based with a bit of native C code, there is some javascript code which is built through npm, importing packages compromised in "Attack #1" 2. The npm project builds only run if -Pyarn-ui is used as an argument to the build. This is NOT the default. If you don't build the yarn UI: no risk from this or (currently) future NPM supply chain attacks. 3. Attack #1: The versions Hadoop uses were all safe. 4. If you were editing package.json files in the hadoop build to play with later versions -consider yourself at risk. Review versions used and maybe consider the whole machine as compromised. 5. Attack #2: Doesn't appear to have affected any files used in the project. 6. If you did any build with any version from attack #2, that's a serious issue: get in touch with any corporate security organisation, roll your cloud credentials, revoke GPG keys etc. Consider rebuilding the entire machine from scratch. 7. If you were building other node.js projects through npm -audit them to see if you have been exposed. 8. If you don't have npm installed, you are not at risk of this or future compromised npm packages causing damage to your host. 9. The docker container used for generating releases does include npm. With restricted access to your filesystem, the damage any future compromise could do would be limited to the source tree and the GPG credentials used for signing releases. 10. Because of the latter risk, we recommend that committers have a pair of GPG keys: the primary key (ideally kept offline) and the signing key. The latter can be revoked without the committer removing all proof of identity. Hadoop builds do not appear compromised. If anyone has evidence to the contrary -please get in touch. Finally, if you have a way of locking down npm, such as through any employer-hosted registry, you should configure npm to use it as both defence and due diligence. Steve On behalf of the hadoop security team, [email protected]
