Supply Chain Attack Targets NPM, +2 Billion Weekly Downloads Exposed

A devastating supply chain attack has compromised multiple popular Node Package Manager (npm) packages, leaving over 2 billion weekly downloads vulnerable to malware. The attack targeted a maintainer's 2-factor authentication credentials via a phishing email, allowing attackers to steal sensitive information and publish maliciously modified versions of the affected packages.

The incident began when Josh Junon, a maintainer of Qix, received a phishing email that appeared to be from npm itself. The message claimed that his 2-factor authentication (2FA) credentials were outdated and needed to be updated by September 10, 2025. The email was designed to prompt Junon to enter his username, password, and 2FA token, which the attackers promptly obtained.

Once the attackers had gained access to Junon's credentials, they published a maliciously modified version of the affected packages, including chalk, debug, and ansi-styles. The malware-laced code, developed by Aikido Security researchers, intercepts web traffic and crypto wallet APIs, hijacking funds from unsuspecting users.

How the Attack Worked

The attackers exploited a vulnerability in Junon's 2FA reset email, which was designed to look legitimate. They then used this information to steal his npm credentials and 2FA token via an AitM attack. With these credentials in hand, they published maliciously modified versions of the affected packages.

Malicious Code Analysis

Aikido Security researchers discovered that the attackers injected malicious code into the index.js file of the compromised packages. This malware has several alarming features:

  • It hijacks popular cryptocurrency transactions, replacing destination addresses with attacker-controlled ones to steal funds.
  • The malware intercepts web traffic and crypto wallet APIs (Ethereum, Bitcoin, Solana, Tron, Litecoin, Bitcoin Cash), rewriting values in requests and responses.
  • It uses string-matching logic that replaces targets with look-alike values, making it harder to notice the changes.
  • The malware hooks JS functions (fetch, XMLHttpRequest, wallet APIs) to manipulate transactions at multiple layers: web content, API calls, and signing processes.

Experts note that while this attack is severe, only apps meeting specific criteria are impacted. The incident highlights the importance of staying vigilant against phishing attacks and regularly updating dependencies to prevent similar breaches in the future.

What You Can Do

To protect yourself from this attack:

  • Verify package versions and update them immediately.
  • Clear your npm cache and reinstall all dependencies.
  • Use lock files with pinned versions to prevent malicious updates.
  • Stay informed about the latest security patches and updates from npm and other reputable sources.

By taking these precautions, you can minimize the risk of falling victim to a similar attack. Remember, in today's digital landscape, vigilance is key to protecting your online security.