The Apps on Your Phone Are Installing Themselves Now. They're Also Stealing From Each Other.

You know that notification—"App update available"—and you click Install because everyone tells you to keep your apps updated for security?

Here's what you don't know: the software developers use to build those apps can now install itself onto other developers' computers. Without permission. Without detection. Like a cold that jumps from person to person, except it's code, and what it's stealing are the digital master keys developers use to publish apps to your phone.

Three weeks ago, researchers found a worm—self-spreading malicious code—living inside npm, the system that delivers pre-built software pieces to millions of developers worldwide. When one developer installed what looked like a legitimate tool, it immediately reached out, found every other project on their computer, infected those too, stole their publishing credentials, and uploaded poisoned versions of their work. Then it waited for the next developer to download that code. And it spread again.

If you've installed any app update in the last 90 days, there's a non-zero chance that update came from a developer whose tools were compromised without them knowing.

Here's how software actually gets built: developers don't write every single line of code from scratch. They use packages—pre-written chunks of code that do common things like "validate an email address" or "format a date." Those packages live in repositories like npm (Node Package Manager), which hosts over 2 million of them.

When a developer builds your banking app, your fitness tracker, your food delivery service—they pull in dozens, sometimes hundreds, of these packages. They trust that the packages do what they claim to do. Most of the time, that trust is fine.

But when attackers compromise a popular package—one that gets downloaded tens of thousands of times a week—they don't just infect one app. They infect every app that uses that package. And this new worm doesn't wait for you to download the wrong package. It installs itself into every package a developer is working on, automatically. 

The worm steals authentication tokens—the credentials that let developers publish updates to the App Store, to Google Play, to the web. With those tokens, attackers can push malicious updates to apps you already have installed. Updates that look completely legitimate. Updates you're supposed to install for security.

And because the worm spreads itself, one infected developer becomes ten. Ten becomes a hundred. The researchers found it in packages with over 65,000 downloads per week.

Three forces collided in the last two years:

First: the number of software packages exploded. There are now so many that no human can review them all. Developers rely on trust and automation—and attackers know it.

Second: AI coding assistants like GitHub Copilot and ChatGPT are training developers to copy-paste code faster than ever. That includes pulling in packages without scrutiny. Speed became more valuable than caution.

Third: developer credentials became wildly valuable. A single stolen token can grant access to publish updates for apps used by millions of people. There's now an entire underground market for these credentials. This worm was built to harvest them at scale.

The result: a self-spreading supply chain attack that doesn't need you to click on a phishing link. It just needs one developer, anywhere in the chain, to install the wrong update.

You can't audit the software supply chain. But you can shrink your exposure.

1. Turn off automatic app updates. Yes, everyone tells you the opposite. But right now, manual updates give you a 24-48 hour buffer to see if an update is pulling apps from stores or generating user complaints. Check app reviews and recent update notes before you click Install.

2. Delete apps you don't use weekly. Every installed app is a door. If you haven't opened it in a month, remove it. Especially: old fitness apps, restaurant apps, retailer apps, games your kids stopped playing.

3. Check app permissions monthly. Go to Settings → Privacy on iOS, or Settings → Permission Manager on Android. Revoke access for anything that doesn't need it. If a flashlight app has access to your contacts, delete the app entirely.

4. For any app that touches money or identity—banking, investment, tax, password managers—enable multi-factor authentication and use app-specific passwords or passkeys where available. Even if an update is compromised, MFA creates a second barrier.

5. If you're a parent: check your kids' devices. Gaming apps and "free" utility apps are the highest risk. Kids install things fast and click through permission requests without reading them. Or even better, do not give a smart phone to kids until they are at least 14 years old but that’s a topic for another newsletter.

6. If you run a business: talk to your dev team or your software vendor. Ask them directly: "Are you monitoring your dependencies for supply chain attacks? Do you have a software bill of materials?" If they don't know what that means, that's your answer.

Have you ever installed an app update that immediately made the app worse, more invasive, or started asking for permissions it never needed before? What app was it—and what did you do?

Identity Decoded publishes every week at identity-decoded.com