npm, Inc. Breach Incident Score: Analysis & Impact (NPM1032210111125)

In this Rankiteo incident briefing, we review the npm, Inc. breach identified under incident ID NPM1032210111125.

The analysis begins with a detailed overview of npm, Inc.'s information like the linkedin page: https://www.linkedin.com/company/npm-inc-, the number of followers: 11670, the industry type: Software Development and the number of employees: 18 employees

After the initial compromise, the video explains how Rankiteo's incident engine converts technical details into a normalized incident score. The incident score before the incident was 681 and after the incident was 676 with a difference of -5 which is could be a good indicator of the severity and impact of the incident.

In the next step of the video, we will analyze in more details the incident and the impact it had on npm, Inc. and their customers.

Projects using `expr-eval` < 2.0.2 recently reported "Remote Code Execution (RCE) Vulnerability in JavaScript Library `expr-eval`", a noteworthy cybersecurity incident.

A severe vulnerability in the widely used JavaScript library `expr-eval` (versions prior to 2.0.2) allows remote code execution (RCE) due to its handling of custom functions and use of the `new Function()` constructor.

The disruption is felt across the environment, affecting Web applications, Server-side applications and Mobile applications (using `expr-eval`).

In response, moved swiftly to contain the threat with measures like Patch release (version 2.0.2) and Deprecation of risky `new Function()` usage, and began remediation that includes Upgrade to `expr-eval` 2.0.2+, Avoid passing user-controlled input to expression evaluators and Audit for `Function` or dynamic interpretation functions, and stakeholders are being briefed through Public disclosure of vulnerability and patch and Developer advisories for best practices.

The case underscores how Resolved (patch released; ongoing monitoring recommended), teams are taking away lessons such as Supply chain vulnerabilities in third-party libraries (e.g., NPM packages) pose significant risks even for widely used, reputable projects, Dynamic code evaluation (e.g., `new Function()`, `eval()`) should be avoided or strictly controlled when processing untrusted input and Open-source libraries with extensibility features (e.g., custom functions) require rigorous security review to prevent misuse, and recommending next steps like Upgrade to `expr-eval` 2.0.2 or later immediately, Implement strict input validation and sanitization for all user-provided expressions and Avoid exposing expression evaluators to untrusted input, especially in high-risk environments (e.g., financial platforms), with advisories going out to stakeholders covering Developers: Audit and patch dependent projects, Security teams: Review applications for `expr-eval` usage and exposure to untrusted input and Organizations: Assess supply chain risk from third-party JavaScript libraries.

Finally, we try to match the incident with the MITRE ATT&CK framework to see if there is any correlation between the incident and the MITRE ATT&CK framework.

The MITRE ATT&CK framework is a knowledge base of techniques and sub-techniques that are used to describe the tactics and procedures of cyber adversaries. It is a powerful tool for understanding the threat landscape and for developing effective defense strategies.

Rankiteo's analysis has identified several MITRE ATT&CK tactics and techniques associated with this incident, each with varying levels of confidence based on available evidence. Under the Initial Access tactic, the analysis identified Supply Chain Compromise: Compromise Software Dependencies (T1195.002) with high confidence (95%), with evidence including supply chain vulnerabilities in third-party libraries (e.g., NPM packages), and 800,000+ weekly downloads on NPM and Command and Scripting Interpreter: JavaScript (T1059.007) with high confidence (90%), with evidence including unsafe use of the `new Function()` constructor—equivalent to `eval()`, and dynamic Code Evaluation via `new Function()`. Under the Execution tactic, the analysis identified Command and Scripting Interpreter: JavaScript (T1059.007) with high confidence (95%), with evidence including allows **Remote Code Execution (RCE)** via `new Function()`, and arbitrary code execution on the server and Exploitation for Client Execution (T1203) with moderate to high confidence (85%), with evidence including exposes countless projects across **web, server-side, and mobile** environments, and risk to critical logic evaluation in financial/educational/gaming platforms. Under the Persistence tactic, the analysis identified Server Software Component: Web Shell (T1505.003) with moderate to high confidence (70%), with evidence including server takeover via RCE in `expr-eval`, and lateral movement into connected systems. Under the Privilege Escalation tactic, the analysis identified Exploitation for Privilege Escalation (T1068) with moderate to high confidence (80%), with evidence including server takeover via arbitrary code execution, and lateral movement into connected systems. Under the Defense Evasion tactic, the analysis identified Obfuscated Files or Information (T1027) with moderate to high confidence (75%), with evidence including attackers to inject malicious input via custom functions, and dynamic expression parsing as an evasion vector. Under the Impact tactic, the analysis identified Resource Hijacking (T1496) with moderate to high confidence (85%), with evidence including server takeover, and risk to critical logic evaluation in financial/educational/gaming platforms and Data Destruction (T1485) with moderate confidence (60%), with evidence including data theft (implied via RCE), and potential runtime compromise. These correlations help security teams understand the attack chain and develop appropriate defensive measures based on the observed tactics and techniques.