A compromise of open-source software dependencies exposed the global impact of trust failures – and why visibility and verification are critical for securing industrial systems.

The recent compromise of 18 widely used packages on NPM (Node Package Manager), the world’s largest repository of open-source JavaScript libraries, exposed just how fragile digital trust can be. NPM is used by millions of developers and organizations to share and install code that supports websites, cloud applications, and even components embedded in industrial systems. When attackers gained access to a single maintainer’s account and published malicious versions of several NPM packages, the incident showed how deeply software dependencies are woven into modern systems and how quickly that trust can break down.

This incident also reignited an ongoing debate: which is inherently more secure, open-source or closed-source software? Open-source code benefits from transparency and community oversight, yet visibility alone does not guarantee safety. As this breach proved, even when code is available for anyone to inspect, human error and credential theft can still undermine security at scale.

While the event centered on open-source software, its lessons reach far beyond the IT domain. Every organization – including those managing operational technology (OT) – depends on a network of trusted digital relationships that can be exploited at any point along the chain.

Inside the Attack

Attackers used a phishing email to gain control of a maintainer’s NPM account and then uploaded modified versions of popular libraries such as chalk, debug, ansi-styles, and wrap-ansi. The injected JavaScript contained a cryptocurrency-stealing payload that silently replaced wallet addresses during transactions.

The breach was detected quickly through community monitoring and recognizable code patterns, but not before more than two million downloads occurred. Financial losses were limited, yet the event highlighted how one compromised account can affect a global software ecosystem.

The Cybersecurity and Infrastructure Security Agency (CISA) later confirmed the scale of the issue. In an alert released September 23, 2025, CISA described a self-replicating worm, known as Shai-Hulud, that compromised over 500 NPM packages. The malware harvested developer credentials and cloud access tokens, then used those credentials to spread further by publishing additional infected packages. CISA advised organizations to review their dependencies, rotate credentials, and enforce phishing-resistant multifactor authentication – steps that reflect the broader need for supply chain vigilance across all sectors.

A Fragile Web of Trust

The NPM compromise illustrates how deeply interdependence defines today’s connected enterprises. Each external relationship – whether a software library, vendor, or service provider – creates a pathway that can be turned against the organization if trust is misplaced.

That same principle applies in OT environments. Software developers rely on open-source maintainers; industrial operators rely on equipment suppliers, firmware vendors, and engineering partners. A single trusted update or maintenance connection can become the starting point of a disruption. In operational technology, the consequences can move from digital compromise to physical impact, including downtime, loss of visibility, or safety hazards.

Trust, in either context, cannot be assumed. It must be verified and maintained.

The OT Connection

RMC’s work with utilities, manufacturers, and critical infrastructure organizations shows that dependency risk is more than a software issue – it spans entire systems. Industrial networks depend on technologies and components that often remain in service for decades, which increases exposure when a trusted element becomes compromised.

A firmware update, a remote vendor session, or an integration script can all act as the OT equivalent of a corrupted software library. Once that trust is exploited, recovery becomes complex and resource-intensive. Maintaining visibility into these dependencies is the foundation of resilience.

RMC’s Perspective on Supply Chain Integrity

The NPM attack highlights a key paradox of open-source ecosystems: visibility does not automatically create security. Code that is open to inspection can still harbor risk if the mechanisms protecting its contributors are weak.

In software environments, that understanding comes from maintaining a Software Bill of Materials (SBOM) that catalogs every dependency. Within OT systems, RMC applies similar principles through dependency mapping and mission assurance assessments. These efforts help organizations see how their assets interact, where dependencies exist, and which trust relationships carry the highest risk.

Identity protection is equally critical. The NPM breach began with a single phishing message. Strong authentication, strict access controls, and behavioral monitoring would have stopped the attack at its source. The same controls should apply to OT vendors, contractors, and partners with system privileges.

Prevention is not always possible, but strong technical controls can limit the impact of a compromise and help contain it before it spreads.Building a More Resilient Supply Chain

In addition to technical measures, RMC performs comprehensive Supply Chain Risk Management (SCRM) assessments that evaluate vendor relationships, sourcing practices, and procurement processes to identify weaknesses before they result in operational disruptions.

Organizations can strengthen their position by focusing on a few key areas:

• Visibility: Maintain a clear, current inventory of all software, hardware, and vendor dependencies.
• Authentication: Require phishing-resistant MFA for all privileged accounts, including those of third parties.
• Monitoring: Track for unexpected code changes, configuration updates, and network activity.
• Preparedness: Test detection and response capabilities through realistic supply chain simulations.
• Verification: Review trust relationships regularly and confirm they remain warranted.

Resilience Built on Proof

The NPM incident was contained before it caused widespread damage, but it reflects a growing trend. Supply chain attacks seen in cases such as SolarWinds and other major breaches, are becoming more common and remain highly effective because they exploit the inherent trust built into interconnected systems. Digital trust can erode quickly, and its effects can move through connected environments faster than many organizations can respond.

For critical industries, securing the supply chain is no longer a procedural requirement. It is a core element of mission assurance.

At RMC, we believe resilience is built on proof rather than assumption. Through visibility, dependency mapping, and disciplined verification across IT and OT environments, organizations can reinforce the trust that keeps essential systems operating safely and reliably.