What happened in the NPM supply chain attack of September 2025?

A supply chain attack targeting the NPM ecosystem compromised 18 widely-used JavaScript packages with a collective total of over 2.6 billion weekly downloads. The attack involved compromising NPM credentials of package maintainer Josh Junon and injecting cryptocurrency-stealing malware into the packages.

Which NPM packages were compromised in the September 2025 attack?

18 packages were compromised including major ones like ansi-styles (371.41m weekly downloads), debug (357.6m), chalk (299.99m), supports-color (287.1m), strip-ansi (261.17m), ansi-regex (243.64m), wrap-ansi (197.99m), color-convert (193.5m), color-name (191.71m), and several others with millions of weekly downloads each.

How did attackers compromise the NPM packages?

Attackers used a phishing email campaign impersonating NPM support services. They registered the fraudulent domain npmjs.help on September 5, 2025, and sent phishing emails claiming users needed to update their Two-Factor Authentication credentials or face account lockdowns. This harvested Josh Junon's username, password, and 2FA token, giving attackers control of his NPM account.

Who was affected by the NPM supply chain attack?

Users were only affected if they performed fresh NPM installations between approximately 9:00-11:30 AM ET (13:00-15:30 UTC) on September 8, 2025, when the malicious package versions were live. Additionally, compromise required that package-lock.json files were created during this window and that the vulnerable packages were present in direct or transitive dependencies.

What was the timeline of the phishing attack on the NPM maintainer?

The attackers registered the fraudulent domain npmjs.help on September 5, 2025, just three days before launching the attack on September 8, 2025. The phishing emails threatened account lockdowns by September 10, 2025, creating false urgency to pressure victims into clicking malicious links.

Incident

Major NPM supply chain attack compromises 18 popular packages, injects cryptocurrency-stealing malware

Q: What did the malicious code in the compromised NPM packages do?

The malicious code consisted of obfuscated JavaScript designed for browser environments that functioned as a browser-based interceptor. It hooked into critical JavaScript functions including fetch, XMLHttpRequest, and cryptocurrency wallet APIs like window.ethereum to monitor network traffic and silently replace legitimate cryptocurrency wallet addresses with attacker-controlled addresses.

Q: How was the cryptocurrency theft mechanism designed?

The malware monitored network traffic and API responses for cryptocurrency addresses across multiple blockchain networks and used a 'nearest match' algorithm based on Levenshtein distance to replace legitimate wallet addresses with attacker-controlled addresses, making the substitutions less obvious to users.

Q: What happened during the remediation of the NPM supply chain attack?

The maintainer Josh Junon acknowledged the breach at 15:15 UTC and began cleanup efforts. However, he lost access to his account during the remediation process, requiring NPM's security team to intervene and help restore control of the compromised packages.

published: Sept. 9, 2025

Take action: If you have JavaScript code, review the packages and check if you were building or deploying code within the affected period. If yes, immediately rebuild with safe versions of the packages.

Learn More

A supply chain attack targeting the NPM ecosystem has compromised 18 widely-used JavaScript packages with a collective total of over 2.6 billion weekly downloads.

The attack was discovered on September 8, 2025, at 13:16 UTC, and involved compromising of the NPM credentials of the package maintainer Josh Junon (known as "qix") and injection of cryptocurrency-stealing malware.

Compromised packages

ansi-styles@6.2.2 (all versions of the package have 371.41m downloads per week)
backslash@0.2.1 (all versions of the package have 0.26m downloads per week)
chalk-template@1.1.1 (all versions of the package have 3.9m downloads per week)
supports-hyperlinks@4.1.1 (all versions of the package have 19.2m downloads per week)
has-ansi@6.0.1 (all versions of the package have 12.1m downloads per week)
simple-swizzle@0.2.3 (all versions of the package have 26.26m downloads per week)
color-string@2.1.1 (all versions of the package have 27.48m downloads per week)
error-ex (all versions of the package have 47.17m downloads per week)
color-name@2.0.1 (all versions of the package have 191.71m downloads per week)
is-arrayish@0.3.3 (all versions of the package have 73.8m downloads per week)
slice-ansi@7.1.1 (all versions of the package have 59.8m downloads per week)
color-convert@3.1.1 (all versions of the package have 193.5m downloads per week)
wrap-ansi@9.0.1 (all versions of the package have 197.99m downloads per week)
ansi-regex@6.2.1 (all versions of the package have 243.64m downloads per week)
supports-color@10.2.1 (all versions of the package have 287.1m downloads per week)
strip-ansi@7.1.1 (all versions of the package have 261.17m downloads per week)
chalk@5.6.1 (all versions of the package have 299.99m downloads per week)
debug@4.4.2 (all versions of the package have 357.6m downloads per week)
color@5.0.1

The attack used a phishing email campaign that impersonated NPM support services. Attackers registered the fraudulent domain npmjs.help on September 5, 2025, just three days before launching the attack. The phishing emails were sent from support@npmjs.help and threatened account lockdowns by September 10, 2025, creating false urgency to pressure victims into clicking malicious links.

The emails claimed that users needed to update their Two-Factor Authentication (2FA) credentials, stating that accounts with outdated 2FA credentials would be temporarily locked to prevent unauthorized access.

The phishing site harvested Josh Junon's username, password, and 2FA token. The attackers then used these stolen credentials to gain complete control of Junon's NPM account and publish malicious versions of his maintained packages.

The malicious code injected into the compromised packages consists of obfuscated JavaScript designed to operate exclusively in browser environments. The malware functions as a browser-based interceptor that hooks into critical JavaScript functions including fetch, XMLHttpRequest, and cryptocurrency wallet APIs such as window.ethereum.

The malware monitors network traffic and API responses for cryptocurrency addresses across multiple blockchain networks and silently replaces legitimate wallet addresses with attacker-controlled addresses using a "nearest match" algorithm based on Levenshtein distance to make the substitutions less obvious to users.

The malicious packages were active for approximately 2-3 hours before being detected and removed from the NPM registry. Security researchers at Aikido Security were among the first to identify the compromise. The community quickly mobilized to alert the maintainer, who acknowledged the breach at 15:15 UTC and began cleanup efforts. However, the maintainer lost access to his account during the remediation process, requiring NPM's security team to intervene.

The impact of the attack was somewhat limited due to specific conditions required for compromise. Users were only affected if they performed fresh NPM installations between approximately 9:00-11:30 AM ET (13:00-15:30 UTC) on September 8, 2025, when the malicious package versions were live. Additionally, the compromise required that package-lock.json files were created during this window and that the vulnerable packages were present in either direct or transitive dependencies.

Major NPM supply chain attack compromises 18 popular packages, injects cryptocurrency-stealing malware

Read More
German database provider Genios reports ransomware attack, system …
Stalkerware App Spyzie breached, over 500K people exposed
Tietoevry data centre impacted by ransomware, multiple customers …
Mogilevich hacking group claims attack on Epic Games, …
Cloud-based hotel management platform Otelier hit by data …