Massive supply chain attack hits NPM

Phishing attack, hackers — Image by Cybernews

What has been dubbed the largest supply chain attack in history has hit NPM, one of the most prolific JavaScript package managers.

Early this morning (around 9:30 a.m. ET), security researchers reported what has been called the largest supply chain attack in history. The attack affected NPM, one of the main JavaScript package managers used by 17 million developers and downloaded 2.6 billion times every week.

Bad actors managed to fool a package maintainer, Josh Junon, by sending him a convincing phishing email asking him to update his two-factor authentication credentials.

The email came from the “support@npmjs[.]help” domain, which seemed to spoof the legitimate domain.

Junon was tricked into clicking a link in the phishing email, which subsequently locked him out of his account, according to the maintainer.

The link then loaded content from two BunnyCDN buckets controlled by the unknown attackers.

"The malware hidden in the compromised NPM packages was a cryptocurrency drainer designed to silently hijack financial transactions. When users tried to send crypto, the malware replaced the destination wallet with the attacker’s address while still showing the correct one in the UI,” explained Cybernews researcher Mantas Sabeckis.

Yep, I've been pwned. 2FA reset email, looked very legitimate. Only NPM affected. I've sent an email off to @npmjs.bsky.social to see if I can get access again. Sorry everyone, I should have paid more attention. Not like me; have had a stressful week. Will work to get this cleaned up.

[image or embed]
undefined Josh Junon (@bad-at-computer.bsky.social) September 8, 2025 at 6:15 PM

One of the scripts that loaded was a credential stealer, that stores the username, password, and two-factor authentication code and then sends them to a remote host.

Jan-David Stärk, team lead and software engineer at Hansalog, a software company, who reported on the attack earlier, said that the affected packages have already been downloaded over 1 billion times, meaning the entire JavaScript ecosystem may be at risk.

Don't miss our latest stories on Google News

Which packages did the NPM supply chain attack affect?

The attack affected 18 popular packages downloaded over 2 billion times per week, such as “chalk” and “debug-js.”

The cybersecurity Aikido first identified the attack and listed the names of the 18 compromised packages during the hack.

The packages affected include:

backslash
chalk-template
supports-hyperlinks
has-ansi
simple-swizzle
color-string
error-ex
color-name
is-arrayish
slice-ansi
color-convert
wrap-ansi
ansi-regex
supports-color
strip-ansi
chalk
debug
ansi-styles

Some of these packages are downloaded hundreds of millions of times per week and are used by developers to complete tasks ranging from debugging programs to terminal string styling.

I made a tiktok about npm pic.twitter.com/9LITntTzxk
undefined Katie Paxton-Fear (@InsiderPhD) September 8, 2025

What actually happened during the NPM supply chain attack?

The infected packages were updated to include a piece of malicious code that would be run on the user’s browser.

The code then scouts for cryptocurrency and Web3-related activity in the browser to manipulate wallet interactions and rewrite payment destinations to secretly redirect funds to the attacker's address, Aikido said.

The malware is a browser-based interceptor that takes over both network traffic and application APIS.

“It injects itself into functions like fetch, XMLHttpRequest, and common wallet interfaces, then silently rewrites values in requests and responses, according to Aikido.”

This means that sensitive information, such as payment destinations, can be compromised and swapped for attacker-hosted ones before users can even tell what’s happened.

This suggests that attackers were attempting to sneak under the radar and steal cryptocurrency from unsuspecting victims.

However, according to the Security Alliance, not many victims have been claimed following the attack, and only 5 cents seem to have been stolen as a result of the breach.

Bitcoin and crypto users affected by NPM supply chain attack

It seems that possibly the largest supply chain attack in history, aimed at cryptoasset users, has so far failed to cause any substantial damage.

Based on the available data, at the time of writing, the criminals appear to have managed to steal only around $200 worth of cryptoassets. However, the number might not be final, as new data keeps coming in.

"Indeed, it seems like the biggest financial impact of this entire incident will be the collective thousands of hours spent by engineering and security teams around the world working to clean compromised environments, and the millions of dollars of sales contracts that will inevitably be signed as a result of this new case study," cryptoasset-focused Open Security Alliance, or SEAL said.

The conversation on this topic is live. Join in the discussion.

While the malicious code has already been removed from most of the affected packages, experts warn to stay vigilant.

"It is crucial to audit your projects, as compromised versions may still be present in your dependencies or lockfiles," Stärk said, adding that the malware swaps cryptoasset addresses to steal funds.

According to the Ledger CTO, people who do not use a hardware wallet with clear signing are at risk, as they cannot review their transactions before signing.

"If you don’t use a hardware wallet, refrain from making any on-chain transactions for now," he said, adding that it is unclear whether the attacker is also stealing seed words from software wallets to gain access to funds.

Also, 0xngmi, founder of DeFiLlama, a decentralized finance market data tool, noted that "it's not like you'll instantly get drained," because you still need to confirm a transaction on your hardware wallet.

However, he suggested "avoid using crypto websites till this blows over and they clean up the bad packages," as "in any website that uses this hacked dependency, it gives a chance to the hacker to inject malicious code" and replace the transaction by sending funds to the criminals.