What Happened
On September 8, 2025, the JavaScript ecosystem experienced one of its largest supply chain attacks. Popular NPM packages with over 2.6 billion combined weekly downloads were compromised after a trusted maintainer’s account was hijacked through a phishing attack.
The maintainer, known as “Qix”, posted on yCombinator
“Hi, yep I got pwned. Sorry everyone, very embarrassing… Email came from support at npmjs dot help. Looked legitimate at first glance. Not making excuses, just had a long week and a panicky morning and was just trying to knock something off my list of to-dos. Made the mistake of clicking the link instead of going directly to the site like I normally would (since I was mobile).”
The Attack Method
The attackers sent a convincing phishing email from support@npmjs.help claiming that all users needed to update their Two-Factor Authentication (2FA) credentials. The email threatened that accounts would be locked on September 10, 2025, creating false urgency.
The Danger
Each of these packages has now been “updated”. But the updated software contains malware.
The malware targets cryptocurrency transactions in browsers. It hijacks wallet extensions like MetaMask, intercepting transactions before they’re signed and replacing recipient addresses with attacker-controlled ones. The interface shows the correct information, but funds are secretly redirected. The malware supports multiple cryptocurrencies including Bitcoin, Ethereum, Solana, and others.
Affected Packages
According to the maintainer’s post, these packages were compromised:
Major packages:
- backslash (0.26m downloads per week)
- chalk-template (3.9m downloads per week)
- supports-hyperlinks (19.2m downloads per week)
- has-ansi (12.1m downloads per week)
- simple-swizzle (26.26m downloads per week)
- color-string (27.48m downloads per week)
- error-ex (47.17m downloads per week)
- color-name (191.71m downloads per week)
- is-arrayish (73.8m downloads per week)
- slice-ansi (59.8m downloads per week)
- color-convert (193.5m downloads per week)
- wrap-ansi (197.99m downloads per week)
- ansi-regex (243.64m downloads per week)
- supports-color (287.1m downloads per week)
- strip-ansi (261.17m downloads per week)
- chalk (299.99m downloads per week)
- debug (357.6m downloads per week)
- ansi-styles (371.41m downloads per week)
But there may be more.
What You Should Do
Check your projects for these packages and ensure you’re not running the compromised versions. Be cautious about updating packages until you’ve verified they’re safe. If you need to force safe versions, remember you can add overrides to your package.json.
Looking Forward
This incident reminds us of two important security considerations:
First, always verify the sender of security-related emails, especially those creating urgency.
Second, consider implementing package security scanning in your development workflow. The open source ecosystem is incredibly valuable, but it requires vigilance.
The Silver Lining
While this attack was serious, the rapid detection and response shows that the community’s security measures are improving. The maintainer’s transparency and quick action, combined with security researchers’ vigilance, limited the potential damage significantly.
Open source software remains one of technology’s greatest achievements. Incidents like this don’t diminish its value – they remind us to implement proper safeguards and always keep an eye on the “code” we are running, rather than blindly copy and paste, or add new packages into our applications.
