In an increasingly interconnected digital ecosystem, companies depend on networks of suppliers and partners to operate efficiently. However, this interdependence has transformed the supply chain into a new critical cybersecurity perimeter. According to the ENISA Threat Landscape 2024 report , the supply chain consistently ranks among the top three most critical attack categories for European organizations . Between 2021 and 2023, supply chain attacks increased by 431% , with exponential growth forecasted by 2025.
Software supply chain attacks exploit the implicit trust between organizations and suppliers, targeting a single vulnerable link and propagating throughout the entire chain. Compromising an open source library, an NPM package, or a SaaS provider can pave the way for massive and difficult-to-detect intrusions. The result is a systemic risk that requires new defense strategies and a more mature approach to digital trust management.
In this article, we will analyze why the supply chain has become the preferred attack vector , examine two emblematic cases in the NPM context – from the Colors and Faker.js sabotage in 2022 to the recent large-scale compromise in 2025 – and then delve into how an integrated approach to supply chain security and compliance can significantly mitigate risks , with particular reference to the methodology adopted by ELMI .
Supply chain attacks are distinguished by their indirect nature and their ability to deeply impact an organization’s entire digital ecosystem. Rather than directly attacking the primary target, cybercriminals compromise a trusted supplier—such as a software, hardware, or managed services vendor—using it as a conduit to introduce malicious code or manipulated components. This strategy, based on exploiting trust between business partners, makes the attack particularly insidious: third-party suppliers often have privileged access to sensitive systems and data, making them an ideal entry point.
Making these attacks even more dangerous is their complexity and scalability . Malicious code can be introduced at any stage of the supply chain, then propagate to dozens or hundreds of connected organizations. As a result, a single compromise can generate widespread impact , with repercussions extending far beyond the initial target, jeopardizing the business continuity, reputation, and regulatory compliance of multiple organizations simultaneously.
Precisely because they exploit trusted components, some of the most significant supply chain attacks have targeted open source libraries and dependency management packages, such as those distributed via NPM (Node Package Manager) . In the next section, we’ll explore in detail the nature of these attacks, the technical mechanisms they employ, and some real-world cases that highlight their potential impact on enterprise software.
Among the various forms of supply chain compromise, attacks on NPM (Node Package Manager) packages represent one of the most insidious and studied vectors. These attacks exploit the widespread diffusion of open source libraries within modern applications, where a single compromised dependency can automatically propagate to dozens or hundreds of projects. Attackers can operate through typosquatting , creating packages with names similar to legitimate ones, or by injecting malicious code into genuine libraries, often by exploiting compromised developer accounts.
Cases such as the compromise of popular libraries like Colors and Faker.js (2022) and the recent attack on the Node Package Manager repository in September 2025 show how a small change in a dependency can have devastating effects on an entire application ecosystem. Malicious code can exfiltrate data, create backdoors, or compromise critical processes without arousing immediate suspicion, precisely because these are trusted and widely used components.
Let’s look at these examples in detail.
In January 2022, the colors.js and faker.js NPM packages, both developed and maintained by Marak Squires, were sabotaged by the same author. Version 6.6.6 of faker.js was released with code that generated an infinite loop, causing a Denial of Service (DoS) on systems using it. Similarly, code was introduced into the colors.js package that repeatedly printed random data to the console, disrupting the normal operation of applications. This act of sabotage was motivated by the author’s resentment over large companies using his packages for free. The incident had a significant impact, considering that colors.js had over 3.3 billion downloads and faker.js approximately 272 million.
In early September 2025, the Node Package Manager (NPM) repository was hit by a targeted attack that compromised 18 packages , including chalk, debug, ansi-styles, supports-color, and strip-ansi, used in millions of JavaScript projects. The incident was described in international analysis as NPM Supply Chain Attack 2025.
Initial access was gained via a phishing email targeting one of the affected package maintainers. Using a carefully crafted email spoofed to appear to be from npm, the victim was tricked into providing credentials and a multifactor authentication code to avoid an alleged imminent account ban. By exploiting this deception, the malicious actor was able to access the victim’s environment, modify the index.js files, and release compromised versions of the packages, which were subsequently propagated within the JavaScript and Node.js ecosystems.
Technically, the injected code was obfuscated and designed to run in browser/Node contexts related to Web3 operations: it intercepted calls related to cryptographic transactions and replaced the destination addresses with attacker-controlled wallets, making the attack particularly effective against applications that integrate cryptocurrency or wallet functionality into the front end. The nature of the injection—modifications to official releases and the use of mechanisms already present in the development pipeline (automatic dependency installations)—allowed for rapid and silent propagation, considering that the compromised packages totaled over 2 billion weekly downloads .
Removing the compromised package and containing the spread proved more complex than expected, because build systems often maintain cached copies of libraries, and transitive dependencies cause the infected version to automatically propagate to projects that indirectly use it.
Events like the 2025 NPM attack demonstrate that supply chain security can no longer be limited to the company perimeter. Supplier management, continuous monitoring of software components, and compliance with security regulations are becoming strategic elements. In this context, ELMI supports companies with continuous monitoring, managed services, and regulatory compliance (NIS2, DORA) , offering integrated and proactive protection of the entire digital value chain.
The growing complexity and interconnectedness of digital supply chains makes an integrated approach to cybersecurity and regulatory compliance essential. In this context, ELMI , a system integrator with forty years of experience, supports companies in supply chain protection and risk management through four main levers:
The robustness of ELMI services is also guaranteed by the expertise of a specialized team : professionals certified in vendor-neutral standards such as CompTIA, Cisco CCNA, and Security Blue Team. This multidisciplinary group combines experience in enterprise technologies and vertical solutions, ensuring end-to-end management of cybersecurity, compliance, and digital supply chain resilience.
Operational activities— Security Operation Center (SOC), Network Operation Center , and managed services —are coordinated within ELMI’s Security Competence Center , which centralizes skills, processes, and technologies, ensuring structured and continuous risk management across the entire digital supply chain.
Thanks to this integrated approach, ELMI enables companies to combine security, compliance and operational resilience , turning digital supply chain protection into a competitive and strategic advantage.
Follow us on Google News to receive daily updates on cybersecurity. Contact us if you would like to report news, insights or content for publication.
