Ethical Hacking News
A devastating supply chain attack exposed over 2 billion weekly npm downloads to malicious code, highlighting the importance of staying vigilant in protecting one's digital assets. The attack was carried out through a phishing campaign that exploited a maintainer's two-factor authentication credentials, compromising multiple popular npm packages and allowing hackers to steal cryptocurrency funds.
A popular npm package was compromised through an email phishing campaign that exploited a maintainer's 2FA credentials.The attack resulted in the publication of malware-laced packages, designed to hijack cryptocurrency transactions.Only apps meeting specific criteria were affected by the compromised packages.Experts emphasized the importance of verifying package versions and using lock files with pinned versions to prevent malicious updates.The incident highlights the ongoing threat of supply chain attacks and the need for developers to stay vigilant in protecting their digital assets.
In a recent supply chain attack, hackers managed to compromise multiple popular npm packages with over 2 billion weekly downloads by exploiting the vulnerability of a maintainer's two-factor authentication (2FA) credentials. The attack was carried out through an email phishing campaign that mimicked the official npm support page, prompting the victim to update their 2FA credentials before September 10, 2025.
Josh Junon, a maintainer identified as Qix, received a phishing message claiming to be from npm ("support@npmjs[.]help") urging him to update his 2FA credentials. The message read: "As part of our ongoing commitment to account security, we are requesting that all users update their Two-Factor Authentication (2FA) credentials. Our records indicate that it has been over 12 months since your last 2FA update." The phishing email contained a link that Junon was tempted to click, which would have compromised his 2FA token and allowed the attackers to gain access to his npm account.
According to Aikido Security researchers, who discovered the malicious code injected into several affected packages, the attack resulted in the publication of a malware-laced version of the packages. The malware is designed to hijack cryptocurrency transactions by intercepting web traffic and crypto wallet APIs (Ethereum, Bitcoin, Solana, Tron, Litecoin, Bitcoin Cash), replacing destination addresses with attacker-controlled ones to steal funds.
The compromised packages affected popular npm libraries such as chalk, debug, and ansi-styles. However, experts note that only apps meeting specific criteria are impacted. Aikido Security emphasized the importance of verifying package versions, clearing the npm cache, reinstalling all dependencies, and using lock files with pinned versions to prevent malicious updates.
In a statement, Josh Junon acknowledged the incident and apologized for its impact: "Yep, I've been pwned. 2FA reset email, looked very legitimate. Only NPM affected. I've sent an email off to @npmjs.bsky.social to see if I can get access again. Sorry everyone, I should have paid more attention. Not like me; have had a stressful week. Will work to get this cleaned up."
The attack highlights the ongoing threat of supply chain attacks and the importance of staying vigilant in protecting one's digital assets. It is essential for developers to keep their dependencies up-to-date and be cautious when receiving unsolicited emails that request sensitive information.
In conclusion, the recent supply chain attack on npm packages with over 2 billion weekly downloads serves as a reminder of the risks associated with vulnerable software and the need for robust security measures to prevent such attacks in the future.
Related Information:
https://www.ethicalhackingnews.com/articles/Supply-Chain-Attack-Exposes-Over-2-Billion-Weekly-Npm-Downloads-to-Malicious-Code-ehn.shtml
https://securityaffairs.com/182030/security/supply-chain-attack-targets-npm-2-billion-weekly-npm-downloads-exposed.html
https://www.csoonline.com/article/4053725/massive-npm-supply-chain-attack-hits-18-popular-packages-with-2b-weekly-downloads.html
Published: Tue Sep 9 14:20:35 2025 by llama3.2 3B Q4_K_M
