18 Popular Packages Compromised in One of the Largest NPM Supply Chain Attacks
Published
- NPM supply chain attack: A targeted phishing attack on developers impersonated the official npm registry to steal crypto.
- Phishing emails: The fake emails urged recipients to reset their passwords and threatened users with account lockouts.
- Impacted packages: Popular libraries affected on September 8 include debug, chalk, and ansi-style.
At least 18 popular packages, including debug and chalk, which collectively account for over 2 billion weekly downloads, were compromised on possibly one of the largest npm supply chain attacks. The incident, which occurred on September 8, 2025, involved the injection of malicious code in npm packages after a maintainer's account was hijacked.
Phishing Attack Vector
The initial compromise was achieved through a targeted phishing attack on developers, according to Aikido Security research. The package maintainer received an email from a fraudulent domain, npmjs.help, which impersonated the official npm registry.
The email falsely claimed that the maintainer's Two-Factor Authentication (2FA) credentials were out of date and threatened to lock the account if not updated.
This tactic successfully coerced the developer into providing their credentials on a phishing site, giving the attackers access to publish malicious versions of highly used packages, which created turmoil among the cybersecurity community figures on LinkedIn.
The 18 very popular packages are:
- backslash (0.26m downloads per week)
- chalk-template (3.9m downloads per week)
- supports-hyperlinks (19.2m downloads per week)
- has-ansi (12.1m downloads per week)
- simple-swizzle (26.26m downloads per week)
- color-string (27.48m downloads per week)
- error-ex (47.17m downloads per week)
- color-name (191.71m downloads per week)
- is-arrayish (73.8m downloads per week)
- slice-ansi (59.8m downloads per week)
- color-convert (193.5m downloads per week)
- wrap-ansi (197.99m downloads per week)
- ansi-regex (243.64m downloads per week)
- supports-color (287.1m downloads per week)
- strip-ansi (261.17m downloads per week)
- chalk (299.99m downloads per week)
- debug (357.6m downloads per week)
- ansi-styles (371.41m downloads per week)
Malicious Payload
“This malware is essentially a browser-based interceptor that hijacks both network traffic and application APIs,” the report said. It injects itself into core functions like “fetch” and “XMLHttpRequest,” as well as wallet APIs for Ethereum, Solana, and other cryptocurrencies.
Its primary function is to silently intercept and rewrite crypto wallet addresses in transactions, redirecting funds and approvals to attacker-controlled accounts.
Cybersecurity Implications
The attack highlights the severe risks of credential phishing and the far-reaching impact of supply chain attacks within the software development ecosystem, potentially affecting millions of downstream projects and end-users.
In April, Atomic and Exodus wallets were compromised by a trojanized npm package posing as a PDF converter, while the North Korean Lazarus Group targeted developers with a new wave of malicious npm packages in March.
Related
Get expert insights on threats, breaches, scams, and security trends — delivered every Saturday.
Most Popular
Get expert insights on threats, breaches, scams, and security trends — delivered every Saturday.
Most Popular