Multiple NPM packages have been compromised as part of a software supply chain attack after the maintainer’s account was compromised in a phishing attack.
The attack targeted Josh Junon (aka QIX) who received an email message mimicking NPM (support @npmjs[.]Help) and click on the embedded link to prompt you to update your two-factor authentication (2FA) credentials by September 10, 2025.
The phishing page is said to have prompted the co-mentor to enter a username, password, and a two-factor authentication (2FA) token.
The next 20 packages that collectively attract more than 2 billion downloads each week have been confirmed to be affected as part of an incident –
ansi-regex@6.2.1 ansi-styles@6.2.2 backslash@0.2.1 chalk@5.6.1 chalk-template@1.1.1 color-convert@3.1.1 color-name@2.0.1 color-string@2.1.1 debug@4.4.2 error-ex@1.3.3 has-ansi@6.0.1 is-arrayish@0.3.3 proto-tinker-wc@1.8.7 supports-hyperlinks@4.1.1 simple-swizzle@0.2.3 slice-ansi@7.1.1 sprip-ansi@7.1.1 supports-hyperlinks@4.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.
“Sorry, I should have paid more attention,” Junon said in a Bruski post. “Not like me. I had a stressful week. I’ll work to clean this up.”
Analysis of obfuscated malware injected into the source code reveals that it is designed to intercept cryptocurrency transaction requests and exchange destination wallet addresses with closely matched attacker-controlled wallets by calculating Levenstenin distance.
According to Charlie Eriksen of Aikido Security, the payload acts as a browser-based interceptor that hijacks network traffic and application APIs to steal cryptocurrency assets by rewriting requests and answers. It is currently unknown who is behind the attack.
“The payload starts with checking the window of the type! == “Undefined” ensures that it is running in the browser,” says Socket. “Then connect to Window.fetch, xmlhttprequest, and window.ethereum.request, other wallet provider APIs.”
“This means that the malware targets end users with connected wallets that access sites that contain compromised code. Developers are not essentially targeted, but if you open an affected site in your browser and connect your wallet, you become a victim.”
Package ecosystems such as NPM and Python Package Index (PYPI) repeat targets for their popularity and wide reach within the developer community.
In addition to exposing malicious packages directly, attackers are also using techniques such as exploiting AI-Hallucinated dependencies to install malware, using AI-Hallucinated dependencies, known as slopestwing. The incident once demonstrates the need to exercise vigilance, strengthen the CI/CD pipeline and lock down dependencies.
According to ReversingLabs’ 2025 Software Supply Chain Security Report, 14 of the 23 malicious crypto-related campaigns in 2024 target NPM, while the rest are linked to PYPI.
“What we’re seeing is the unfolding of choke and debugging of NPM packages is a unfortunately common instance in today’s software supply chain,” Sonatype’s field CTO Ilkka Turunen told Hacker News.
“While malicious payloads focused on cryptographic theft, this acquisition follows the classic attacks that are now established. By taking over a common open source package, the enemy steals secrets, leaves behind the background and penetrates the organization.”
“Targeting developers of these packages was not a random choice. Package acquisitions have become the standard tactic for advanced permanent threat groups like Lazarus because they know that by infiltrating a single underfunded project, they can reach a large number of developer populations around the world.”
Source link
