On September 8th, the JavaScript world had just been rocked. Malicious code was injected into more than 20 npm packages, and Prebid.js, a fundamental library that is used for header bidding in programmatic advertising, was among them. Given how many publishers and adtech platforms rely on it, this is not something that is just about developers only. A single hacked library can have a cascade effect throughout the digital ad environment, compromising revenue, data, and trust.
Why it Matters to the Adtech Industry
Open-source software is inherently essential to adtech. Tools like Prebid.js allow publishers, SSPs (Supply Side Platforms), and DSPs (Demand Side Platforms) to execute header bidding, optimize ad revenue, manage auctions, and coordinate hundreds of third-party integrations. A compromise on a critical component in the supply chain has an impact on thousands of sites, impacting:
- End user security (data, device, and wallet)
- Publisher ad platform and reputation trust
- Ad creative and delivery integrity
- Compliance and risk exposure (cryptojacking, reputational risk, malware)
What Happened: The NPM Attack on Prebid.js
Security researchers at boltive found that more than 20 popular npm packages were impacted by a supply chain attack, and one of the most targeted was Prebid.js. The affected versions were prebid.js 10.9.1 and 10.9.2, and prebid-universal-creative 1.17.3.
Attackers hooked code into the browser functionality such as window.fetch, XMLHttpRequest, and window.ethereum.request. Further, this allows them to intercept or divert cryptocurrency transactions on users who have browser wallets . As the packages were distributed via npm, multiple developers and organizations found themselves installing/upgrading the vulnerable versions before it was detected.
How the Attack Was Carried Out
The hackers did not just attack code vulnerabilities they attacked those that developed them. Through phishing package maintainers on npm, they managed to take over accounts that managed some of the popular libraries, one of them being Prebid.js. One of the maintainers that were hit was an individual named “Qix.”
They employed email addresses on domains that appeared genuine, such as “[email protected],” claiming that two-factor authentication had timed out. This deceived maintainers into surrendering their credentials. Attackers got into popular packages such as chalk, debug, ansi-styles, and Prebid.js. The malware quickly spread across the npm ecosystem, touching millions of developers and organizations before it was discovered and corrected.
Who Was Affected
The attack impacted ad tech publishers and partners , notably SSPs and DSPs that had installed outdated, vulnerable copies of Prebid.js. For anyone accessing those sites, the risk was that illicit cryptocurrency transactions might have been hijacked. What hurt the most was that the code tended to infiltrate other dependencies, and thus even companies which hadn’t explicitly installed version 10.9.2 were impacted.
The attack rocked the boat everywhere. Some partners likely waited on new integrations or put projects on hold until they could be certain everything was okay. On the other hand, it was a good reminder for everyone to run through their own systems and determine whether anything had fallen through the cracks.
Update : Prebid has now released version 10.10.0, which eliminated the malware.
Why This Is a Wake-Up Call for Adtech
The Prebid.js example is a perfect illustration of how seemingly quite popular open-source code can be an attack surface, impacting numerous downstream organizations and users. Open-source dependency is ubiquitous; all but the most mundane utility packages are transitively consumed (via build tools, dev tooling, etc). Relying on a bug in one low-level package can cascade. Maintainer accounts may be grounded in human factors (email, 2FA, comms), and phishing is still a good vector. The malicious ones might go unnoticed for a short period (until something unusual occurs or tools raise an alarm). Risks to SSPs, Publishers, and Platforms.
Supply chain attacks can hit organizations in various ways, from eroding user trust to becoming legal matters. They can bring day-to-day operations to a standstill, harm revenue, and take large amounts of technical time to fix. To ad tech platforms and publishers, understanding these threats is essentially the requirement.
- Reputational damage: If wallets of users are broken or sites are delivering malicious code, publishers are the ones who are pointed.
- Legal and compliance issues: In certain markets, even accidental malware distribution will cause regulatory problems.
- Revenue impact: Trust collapses, sites crash, and it costs to fix.
- Challenges: Patching, updating dependencies, and auditing takes time and will unexpectedly break things.
Why Prebid.js is a High-Value Target
Prebid.js is widely deployed in publisher stacks for header bidding, so it’s a central piece of the programmatic ad ecosystem. Apart from the fact that it is running on the client-side in user browsers, the hacked one may reveal a huge attack surface such as controllable DOM (Document Object Model) nodes, some APIs access, and even interaction with Web3 wallets. The fact that it’s popular and in the spotlight ensures that any infected instance will propagate to masses in seconds, infecting a huge number of sites and users, and making it highly sought-after by attackers.
What You Should Do Now
It’s important to act promptly to make sure your systems remain secure.
- Make sure Prebid.js is basically updated to version 10.10.0 (or the version that applies to your setup) if you’re currently on 10.9.2. If updating right away isn’t possible, temporarily isolate or remove the affected versions until a secure version can be implemented.
- Check all third-party dependencies in your projects including those indirectly imported to see if any of them may be utilizing the vulnerable version.
How to Audit Your Prebid.js Implementation
To ensure that your systems weren’t impacted, it’s good to ensure both your client-side actions and dependencies.
- Look at your package.json, your lockfiles (package-lock.json or yarn.lock), and your SBOM (Software Bill of Materials) to determine if version 10.9.2 was present, including transitive dependencies.
- Look at browser or client logs for anomalies in network requests or activity, like unexpected redirects or unusual API calls.
- If you’re serving your JS bundle yourself, take a peek to make sure there isn’t literally any evil code in there, such as calls to wallet tampering or indiscriminate API hooks.
Best Practices for Securing Your Supply Chain
To minimize the risk of supply chain attacks, it’s prudent to harden account security, maintain dependencies under rigorous scrutiny, and remain in command of the code you execute.
- Multi-Factor Authentication: Enable MFA for every publisher and maintainer account in order to make it more difficult for the attacker to gain access.
- Least Privilege: Grant only production push privileges to those that actually require it, thereby making a participating account not wreak havoc on a large scale.
- Dependency Monitoring: Utilize vulnerability scan tools, listen for alarms, and create SBOMs. Track transitive dependencies too from time to time.
- Version Control: Pin or lock dependencies so you can be sure of precisely what ends up going into your builds.
- Controlled Hosting: For mission-critical client-side pieces, host them yourself or via reputable CDNs (Content Delivery Networks) you manage, instead of completely relying on third-party sources.
Broader Implications for the Industry
This event only confirms that we can’t depend on a library blindly just because it’s being extensively used. Publishers, developers, and ad platforms will have to assume that any dependence could potentially be problematic. Ensuring the code they are borrowing is in fact from a proven source and has not been modified is truly more critical now than ever.
How This Incident May Influence Future Governance
- Anticipate stronger npm-publishing mechanisms (i.e., package versions will have to be signed) or stronger verification processes beginning with registry-level auditing or scanning of maintainers’ accounts.
- Expect the use of SBOMs (Software Bill of Materials) by organizations to help them identify more easily the software pieces and the related assets they utilize containing all the known vulnerabilities.
- There could be some industry or regulatory requirements derived from the IAB, which is aiming to develop security (audit/incident response) specs for ad tech software.
Community and Vendor Role in Proactive Defense
- Open-source maintainers require greater community support in the form of improved tooling, improved security practices, increased funding, and improved education so that they don’t get so scared of being swamped by bad actors.
- Businesses such as SSPs, DSPs and publishers ought to work together, exchange threat intelligence, and provide threats and/or best practices on a voluntary basis.
- Pursue the overall worth of security tooling (e.g., software component analysis tools, malware scanners, signed code, etc.) to contribute to its value component as it is being used as an additional defense to the platform.
Conclusion
These incidents with the NPM supply chain that have happened do not represent security with libraries we assume either, Prebid.js is not fully secured by design either. Reminder again that in adtech, as we continue to see that a lot of the whole ecosystem is because of how dependencies of tools perceive and interact, one line of ugly code can propagate and wreak havoc, whether that is money, data, relationship or reputation.
This can be a great reminder when supply chain security is at play. Going through what is actually executing on your sites, keeping libraries current, and watching things creeping in through other dependencies can go a long way. For publishing companies, a simple regular scan of the tools and libraries their sites are executing will go a long way in keeping them from being blindsided again.
How Databeat can help
Databeat helps to reduce supply chain risk in their programmatic advertising activities including the snap action from the recent Prebid.js npm incident. Databeat gives publishers, SSPs, and DSPs full visibility and control of third-party scripts and integrations. Databeat minimizes operational risk and protects revenue while maintaining client’s trust and confidence in their operations allowing teams to reduce risk of possible security vulnerabilities even before they have affected the campaigns or exposed user data.
