Massive npm Supply Chain Attack Exposes Millions to Crypto-Stealing Malware

Yesterday, researchers issued a warning about a major npm supply chain attack that has disrupted the JavaScript ecosystem. Attackers compromised widely used packages such as chalk, debug, and ansi-styles, injecting malware designed to hijack cryptocurrency transactions.

With billions of weekly downloads across these libraries, the potential damage extends to countless applications, forcing urgent questions about how developers and organizations can defend their software supply chains.

What Happened?

The breach began with a phishing campaign targeting npm package maintainers – Josh Junon confirmed that his account was hijacked after receiving a convincing email disguised as an npm security notice.

The phishing email appeared to come from [email protected], a domain registered just days earlier to impersonate the legitimate npm site. The message warned that outdated Two-Factor Authentication (2FA) credentials would result in account lockouts by September 10, 2025.

A malicious link was involved, leading to a fake login portal designed to steal usernames and passwords. Once credentials were harvested, attackers gained control of Junon’s npm account and began publishing malicious versions of popular packages.

What Packages Were Compromised in the npm Supply Chain Attack?

Researchers confirmed that 18 high-profile packages were tampered with in this recent npm supply chain attack. Together, these libraries account for more than 2.6 billion weekly downloads. Some of the most impacted include:

• debug (357.6M weekly downloads)
• chalk (299.9M)
• ansi-styles (371.4M)
• strip-ansi (261.1M)
• supports-color (287.1M)
• wrap-ansi (197.9M)

Additional compromised packages include backslash, chalk-template, color-string, is-arrayish, and others. Attackers even expanded their campaign by tampering with unrelated projects, such as proto-tinker-wc, confirming this was not an isolated incident.

As noted by the security news outlet BleepingComputer, the actual impact may be narrower than feared – they report that according to Andrew MacPherson of Privy, an app would only be affected if it (1) performed a fresh install between ~9 AM and ~11:30 AM ET when the compromised versions were live, (2) generated a new package-lock.json during that time window, and (3) included the vulnerable packages either directly or through dependencies.

Check Indicators of Compromise at the end of this article for the list of affected packages and versions.

How the Malware Works

The injected code functioned as a browser-based interceptor. Once a compromised package was included in a web application, the malware activated in users’ browsers and silently monitored crypto-related activity.

Step-by-Step Behavior

1. Injection – The malware hooked core browser functions like fetch, XMLHttpRequest, and wallet APIs such as window.ethereum and Solana interfaces.
2. Monitoring – It scanned responses and payloads for cryptocurrency wallet addresses and transaction details.
3. Manipulation – Detected wallet addresses were replaced with attacker-controlled lookalike addresses.
4. Hijacking – Before transactions were signed, the malware silently rerouted funds or approvals to the attacker’s wallets.
5. Stealth – It avoided visible UI changes to keep victims unaware of the manipulation.

The malware targeted multiple cryptocurrencies, including Ethereum, Bitcoin, Solana, Tron, Litecoin, and Bitcoin Cash, showing the attackers’ intent to maximize profits across ecosystems.

Why This npm Supply Chain Attack Poses a Serious Risk

These kinds of attacks are increasingly common, aiming to deceive developers and compromise entire supply chains through widely used libraries. This incident highlights two growing security challenges:

• Phishing against developers – Even seasoned maintainers can be deceived by sophisticated impersonation campaigns.
• The browser as an attack surface – The injected malware demonstrates how browser APIs can be manipulated to hijack sensitive actions without alerting users.

Mitigation and Next Steps

• Audit Dependencies: npm has already removed malicious versions, but developers must still audit. Review installed versions for matches with compromised packages.
• Enable Stronger 2FA: Ensure 2FA is enabled and kept up to date on all npm maintainer accounts.
• Monitor for Anomalies: Organizations should watch for suspicious crypto-related network traffic or unexpected wallet activity.

How Can SOCRadar Help?

In an era where software supply chain attacks are on the rise, visibility and speed of response are critical. The advanced monitoring capabilities of SOCRadar Extended Threat Intelligence (XTI) provide real-time alerts on potential threats, giving organizations critical lead time to respond.

Moreover, with its Supply Chain Intelligence module, SOCRadar delivers third-party risk scoring, real-time monitoring, and instant alerts for emerging threats. This enables security teams to maintain a clear view of vendor exposure and reinforce defenses before incidents escalate.

Indicators of Compromise

For defenders and developers, the following indicators have been shared by researchers:

Phishing Domain 

• npmjs.help

Known Malicious Versions

• [email protected]
• [email protected]
• [email protected]
• [email protected]
• [email protected]
• [email protected]
• [email protected]
• [email protected]
• [email protected]
• [email protected]
• [email protected]
• [email protected]
• [email protected]
• [email protected]
• [email protected]
• [email protected]
• [email protected]
• [email protected]