In a sophisticated **supply chain attack**, threat actors compromised the account of **Josh Junon (qix)**, a maintainer of multiple high-profile NPM packages, via a **phishing scam** impersonating NPM support. The attackers injected **malicious code** into **18 widely used packages** (e.g., *debug*, *chalk*, *ansi-styles*), collectively downloaded **over 2.6 billion times weekly**. The malware acted as a **browser-based interceptor**, hijacking cryptocurrency transactions (Ethereum, Bitcoin, Solana, etc.) by replacing destination wallet addresses with attacker-controlled ones. While the attack had a **narrow window of exposure** (9 AM–11:30 AM ET on the day of compromise) and required specific conditions (fresh installs, vulnerable dependencies), it targeted **developers and end-users** interacting with compromised web applications. NPM removed malicious versions post-detection, but the incident highlights **critical risks in open-source supply chains**, where a single maintainer compromise can enable large-scale financial theft. The attack leveraged **social engineering (phishing)** and **code injection**, exploiting trust in NPM’s ecosystem to manipulate transactions silently.
TPRM report: https://www.rankiteo.com/company/npm-inc-
"id": "npm1504015090925",
"linkid": "npm-inc-",
"type": "Cyber Attack",
"date": "9/2025",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"{'affected_entities': [{'customers_affected': 'developers/users of compromised '
'packages (potential reach: 2.6B '
'weekly downloads)',
'industry': 'software development',
'location': 'global',
'name': 'NPM (Node Package Manager)',
'type': 'package registry'},
{'industry': 'software development',
'name': 'Josh Junon (qix)',
'type': 'individual (package maintainer)'},
{'customers_affected': 'end-users of apps built with '
'compromised packages',
'industry': 'various (tech, finance, etc.)',
'location': 'global',
'name': 'Developers using compromised packages',
'type': 'organizations/individuals'}],
'attack_vector': ['phishing email',
'compromised maintainer account',
'malicious NPM package updates'],
'customer_advisories': ['Users of apps built with affected NPM packages '
'should avoid cryptocurrency transactions until '
'patches are confirmed.',
'Monitor wallets for unauthorized transactions if '
'interacting with potentially compromised apps.'],
'data_breach': {'data_exfiltration': ['credentials sent to '
'attacker-controlled URL '
'(websocket-api2[.]publicvm.com)'],
'personally_identifiable_information': ['potentially (if '
'maintainers reused '
'credentials '
'elsewhere)'],
'sensitivity_of_data': ['high (credentials)',
'high (financial transactions)'],
'type_of_data_compromised': ['credentials (NPM maintainers)',
'cryptocurrency transaction '
'data']},
'date_publicly_disclosed': '2025-09-10',
'description': 'Attackers injected malware into NPM packages with over 2.6 '
"billion weekly downloads after compromising a maintainer's "
'account in a phishing attack. The malicious code intercepts '
'cryptocurrency transactions in web browsers, redirecting '
'funds to attacker-controlled wallets. The attack targeted '
"multiple widely used packages, including 'debug' (357.6M "
"weekly downloads), 'chalk' (299.99M), and others. The "
'phishing email impersonated NPM support, threatening account '
'locks to coerce victims into revealing credentials.',
'impact': {'brand_reputation_impact': ['high (NPM ecosystem trust erosion)',
'developer community concern'],
'data_compromised': ['credentials (NPM maintainers)',
'cryptocurrency transactions (Ethereum, '
'Bitcoin, Solana, etc.)'],
'identity_theft_risk': ['high (for NPM maintainers whose '
'credentials were stolen)'],
'operational_impact': ['disrupted trust in NPM ecosystem',
'potential app functionality issues due to '
'malicious code'],
'payment_information_risk': ['high (cryptocurrency transactions '
'redirected to attackers)'],
'systems_affected': ['web applications using compromised NPM '
'packages',
'user browsers interacting with affected '
'apps']},
'initial_access_broker': {'backdoors_established': ['malicious code in NPM '
'package updates (e.g., '
'index.js hooks)'],
'entry_point': 'phishing email '
'(support[at]npmjs[.]help)',
'high_value_targets': ['cryptocurrency transactions',
'wallet APIs (Ethereum, '
'Solana, etc.)']},
'investigation_status': 'ongoing (analysis by Aikido Security, reporting by '
'BleepingComputer)',
'lessons_learned': ['Phishing remains a critical vector for supply chain '
'attacks, even in technical communities.',
'Multi-factor authentication (2FA) enforcement is '
'essential for package maintainers.',
'Browser-based attacks can intercept high-value '
'transactions (e.g., cryptocurrency) without obvious '
'signs.',
'Supply chain risks extend beyond direct dependencies to '
'transient ones.',
'Time-bound attacks (e.g., malicious packages available '
'for ~2.5 hours) can limit exposure but still cause '
'significant harm.'],
'motivation': ['financial gain (cryptocurrency theft)',
'credential harvesting'],
'post_incident_analysis': {'corrective_actions': ['NPM has removed known '
'malicious versions (e.g., '
"'debug').",
'Increased awareness of '
'phishing tactics among '
'maintainers.',
'Call for broader adoption '
'of package signing and '
'verification.'],
'root_causes': ['Successful phishing attack on '
'package maintainer (Josh Junon).',
'Lack of 2FA enforcement or '
'credential hygiene for critical '
'accounts.',
'Insufficient monitoring for '
'malicious package updates.',
'Over-reliance on trust in '
'open-source maintainers without '
'verification mechanisms.']},
'recommendations': ['Enforce 2FA for all package maintainers and critical '
'accounts.',
'Implement automated monitoring for suspicious package '
'updates (e.g., unexpected code changes).',
'Educate developers on phishing tactics, especially '
'impersonation of legitimate services (e.g., NPM '
'support).',
'Use package signing and verification to detect '
'tampering.',
'Limit the window of exposure for compromised packages '
'via rapid detection/removal.',
'Audit dependencies for transient vulnerabilities, not '
'just direct ones.',
'Monitor dark web for stolen credentials related to '
'maintainers.',
'Implement browser security controls to detect '
'transaction manipulation (e.g., hooking of `fetch` or '
'wallet APIs).'],
'references': [{'source': 'BleepingComputer',
'url': 'https://www.bleepingcomputer.com/news/security/attackers-inject-malware-into-npm-packages-with-26-billion-downloads/'},
{'source': 'Aikido Security'},
{'source': 'Nicolas Morel (phishing email screenshot)'}],
'response': {'communication_strategy': ['public disclosure via '
'BleepingComputer',
'maintainer (Josh Junon) '
'confirmation'],
'containment_measures': ['removal of malicious package versions '
"(e.g., 'debug')",
'NPM team intervention'],
'incident_response_plan_activated': True,
'third_party_assistance': ['Aikido Security (analysis)',
'BleepingComputer (reporting)']},
'stakeholder_advisories': ['Developers: Audit dependencies for compromised '
'versions (installed between ~9 AM and ~11:30 AM '
'ET on the day of the attack).',
'NPM users: Check `package-lock.json` for '
'vulnerable transient dependencies.',
'Cryptocurrency platforms: Warn users about '
'potential transaction hijacking via compromised '
'apps.'],
'title': 'Supply Chain Attack on NPM Packages via Compromised Maintainer '
'Account',
'type': ['supply chain attack',
'phishing',
'malware injection',
'cryptojacking'],
'vulnerability_exploited': ['human error (phishing susceptibility)',
'lack of multi-factor authentication (2FA) '
'enforcement',
'weak credential security']}