Overnight, news broke that cybercriminals have injected NPM packages downloaded more than two billion times a week with malware, after the package maintainer’s accounts were hijacked – see here. These code packages are used to build JavaScript projects, and form the backbone of almost all websites, mobile apps, and cloud platforms. Of the 18 libraries impacted, many are widely used by developers, including chalk (300 million estimated weekly downloads) and debug (358 million), giving the breach a potentially enormous footprint. Here, Jonathan Gill, CEO of Panaseer, outlines how this attack is particularly alarming, (as many organisations wouldn’t even be aware they are using NPM packages), and the need for organisations to master their inner circle.

“As a central hub for modern software, nearly every company with an online presence will depend on npm, often without realizing. Any compromise’s impact will spread far and wide, making a breach like this seem especially alarming.

“To avoid feeling overwhelmed by attacks which expose not just one company but entire ecosystems, security teams need to focus on what they can and can’t control. They can’t control the outer circle: the attackers, the security posture of your suppliers, or the unknown flaws in third-party code.

But they can control the inner circle: their own assets and security controls, and their effectiveness. Maximising visibility into what’s knowable – e.g. infrastructure, privileged access points, security configurations, and patching status – helps to better manage the unknowable threats outside the perimeter.

“Real resilience comes from proof, meaning verifiable data, not checkboxes. Organizations that master their inner circle gain the clarity, agility, and confidence to respond effectively to the next supply chain attack.”

For more cyber news, click here