Under Attack?
What is NPM?
Node package manager (NPM) is one the world’s largest Software Registry, containing over 800,000 code packages. NPM is a package manager for Node.js projects made available for public use.
NPM allows the use code written by others easily without the need to write them ourselves during development.
Incident Background:
Multiple NPM packages have been compromised as part of a software supply chain attack after a maintainer's account was compromised in a phishing attack.
The attack targeted Josh Junon (aka Qix), who received an email message that mimicked NPM ("support@NPMjs[.]help"), urging them to update their update their two-factor authentication (2FA) credentials before September 10, 2025, by clicking on embedded link.
Multiple code developers according to reports have also received the same or similar phishing email, according to those who received the phishing email.
It's currently not known who is behind the attack.
Supply Chain Attack
The payload is a crypto-clipper that steals funds by swapping wallet addresses in network requests and directly hijacking crypto transactions.
“The payload begins by checking typeof window !== 'undefined' to confirm it is running in a browser. It then hooks into window.fetch, XMLHttpRequest, and window.ethereum.request, along with other wallet provider APIs. This means the malware targets end users with connected wallets who visit a site that includes the compromised code. Developers are not inherently the target, but if they open an affected site in a browser and connect a wallet, they too become victims.”
Affected Packages:
The following 20 packages mentioned below, which collectively attract over 2 billion weekly downloads, have been confirmed as affected as part of the incident – meaning that the entire JavaScript ecosystem may be at risk. These are not niche libraries; they are core building blocks buried deep in the dependency tress of countless projects.
|
Packages |
||
|
ansi-regex@6.2.1 |
color-name@2.0.1 |
proto-tinker-wc@1.8.7 |
|
ansi-styles@6.2.2 |
color-string@2.1.1 |
supports-hyperlinks@4.1.1 |
|
backslash@0.2.1 |
debug@4.4.2 |
simple-swizzle@0.2.3 |
|
chalk@5.6.1 |
error-ex@1.3.3 |
slice-ansi@7.1.1 |
|
chalk-template@1.1.1 |
has-ansi@6.0.1 |
strip-ansi@7.1.1 |
|
color-convert@3.1.1 |
is-arrayish@0.3.3 |
supports-color@10.2.1 |
|
supports-hyperlinks@4.1.1 |
wrap-ansi@9.0.1 |
|
What Developers Should Do
- Do not upgrade to these compromised versions.
- Lock dependencies to previously safe releases.
- Audit recent installs for signs of compromise.
The author along with the NPM security team are actively working to resolve this issue. The malicious code has already been removed from most of the affected packages, and the situation is being remediated.
However, it is crucial to audit your projects, as compromised versions may still be present in your dependencies or lockfiles.
References:
If you are worried about any of the threats outlined in this bulletin or need help in determining what steps you should take to protect yourself from the most material threats facing your organisation, please contact your account manager, or alternatively Get in touch to find out how you can protect your organisation.
