Ethical Hacking News
Twenty popular npm packages have been compromised in a devastating supply chain attack, with attackers exploiting a phishing campaign to publish malicious code to the npm registry. The affected packages collectively attract over 2 billion weekly downloads and were targeted by attackers who utilized a sophisticated payload designed to intercept cryptocurrency transaction requests.
20 popular npm packages have been compromised in a devastating supply chain attack.The affected packages collectively attract over 2 billion weekly downloads and were targeted by attackers who utilized a sophisticated phishing campaign.The attack involved stealing users' two-factor authentication credentials to publish malicious code to the npm registry.The malicious payload was designed to intercept cryptocurrency transaction requests and steal assets.Developers are not inherently the target, but if they open an affected site in a browser and connect a wallet, they too become victims.This attack highlights the ongoing vulnerability of package ecosystems like npm and PyPI to supply chain attacks.Ilkka Turunen notes that package takeovers are now a standard tactic for advanced persistent threat groups.Developers and organizations must prioritize security awareness and implement robust measures to protect themselves against such attacks.
In a shocking revelation that has sent shockwaves throughout the cybersecurity community, it has been revealed that 20 popular npm packages have been compromised in a devastating supply chain attack. The affected packages, which collectively attract over 2 billion weekly downloads, were targeted by attackers who utilized a sophisticated phishing campaign to compromise the account of a maintainer, allowing them to publish malicious code to the npm registry.
The attack, which was carried out in September 2025, saw attackers impersonate npm support staff and send an email to Josh Junon (aka Qix), a co-maintainer of one of the affected packages. The email claimed that the recipient's two-factor authentication credentials were outdated and required immediate attention. The email contained a malicious link that, when clicked, prompted Junon to enter his username, password, and two-factor authentication token. This information was then stolen by the attackers and used to publish rogue versions of the affected packages to the npm registry.
The compromised packages included ansi-regex@6.2.1, ansi-styles@6.2.2, backslash@0.2.1, chalk@5.6.1, chalk-template@1.1.1, color-convert@3.1.1, color-name@2.0.1, color-string@2.1.1, debug@4.4.2, error-ex@1.3.3, has-ansi@6.0.1, is-arrayish@0.3.3, proto-tinker-wc@1.8.7, supports-hyperlinks@4.1.1, simple-swizzle@0.2.3, slice-ansi@7.1.1, strip-ansi@7.1.1, supports-color@10.2.1, and wrap-ansi@9.0.1.
An analysis of the malicious code revealed that it was designed to intercept cryptocurrency transaction requests and swap the destination wallet address with an attacker-controlled wallet that closely matches it by computing the Levenshtein distance. The payload acts as a browser-based interceptor that hijacks network traffic and application APIs to steal cryptocurrency assets by rewriting requests and responses.
According to Charlie Eriksen, an expert at Aikido Security, "The payload begins by checking typeof window !== 'undefined' to confirm it is running in a browser. It then hooks into window.fetch, XMLHttpRequest, and window.ethereum.request, along with other wallet provider APIs." This means that the malware targets end users with connected wallets who visit a site that includes the compromised code. Developers are not inherently the target, but if they open an affected site in a browser and connect a wallet, they too become victims.
This attack highlights the ongoing vulnerability of package ecosystems like npm and PyPI to supply chain attacks. Attackers have exploited this trust by abusing the platforms' popularity and broad reach within the developer community. In addition to publishing malicious packages directly, attackers have also employed techniques such as typosquatting or exploiting AI-hallucinated dependencies (slopsquatting) to trick developers into installing malware.
Ilkka Turunen, Field CTO at Sonatype, noted that "What we are seeing unfold with the npm packages chalk and debug is an unfortunately common instance today in the software supply chain. The malicious payload was focused on crypto theft, but this takeover follows a classic attack that is now established – by taking over popular open source packages, adversaries can steal secrets, leave behind backdoors and infiltrate organizations."
The incident serves as a stark reminder of the need for vigilance and hardening of CI/CD pipelines and locking down dependencies. As Turunen pointed out, "It was not a random choice to target the developer of these packages. Package takeovers are now a standard tactic for advanced persistent threat groups like Lazarus, because they know they can reach a large amount of the world's developer population by infiltrating a single under-resourced project."
In light of this devastating attack, it is essential that developers and organizations prioritize security awareness and implement robust measures to protect themselves against such attacks. By staying informed and taking proactive steps to secure their dependencies, individuals and organizations can minimize the risk of falling victim to supply chain attacks.
Twenty popular npm packages have been compromised in a devastating supply chain attack, with attackers exploiting a phishing campaign to publish malicious code to the npm registry. The affected packages collectively attract over 2 billion weekly downloads and were targeted by attackers who utilized a sophisticated payload designed to intercept cryptocurrency transaction requests.
Related Information:
https://www.ethicalhackingnews.com/articles/A-Devastating-Supply-Chain-Attack-20-Popular-npm-Packages-Compromised-in-Cybersecurity-Breach-ehn.shtml
https://thehackernews.com/2025/09/20-popular-npm-packages-with-2-billion.html
https://arstechnica.com/security/2025/09/software-packages-with-more-than-2-billion-weekly-downloads-hit-in-supply-chain-attack/
https://en.wikipedia.org/wiki/Lazarus_Group
https://attack.mitre.org/groups/G0032/
Published: Tue Sep 9 03:26:37 2025 by llama3.2 3B Q4_K_M
