In September 2025, NPM suffered a large-scale supply chain attack after threat actors compromised multiple high-profile developer accounts via a targeted phishing campaign. The attackers impersonated NPM Support, tricking developers—including Josh Junon ('qix')—into divulging credentials on a spoofed login page. This allowed the insertion of malicious JavaScript clippers into **20 widely used NPM packages**, collectively downloaded **2.8 billion times weekly**. The malware intercepted cryptocurrency transactions (BTC, ETH, SOL, etc.), redirecting funds to attacker-controlled wallets without user detection.Though the compromised packages were reverted and accounts secured, the breach exposed a systemic vulnerability: **human error as the weakest link in supply chain security**. The attack leveraged urgency-driven phishing (fake '2FA update' emails) and bypassed standard email authentication (SPF/DKIM/DMARC). While no direct customer data leaks or ransomware were reported, the incident risked **financial losses for end-users**, **reputational damage to NPM**, and **erosion of trust in open-source ecosystems**. The scale of affected packages—integrated into countless applications—amplified potential downstream impacts, including fraudulent transactions and operational disruptions for dependent organizations.
Source: https://gbhackers.com/email-security-technique/
TPRM report: https://www.rankiteo.com/company/npm-inc-
"id": "npm2433024110125",
"linkid": "npm-inc-",
"type": "Cyber Attack",
"date": "9/2025",
"severity": "60",
"impact": "2",
"explanation": "Attack limited on finance or reputation"{'affected_entities': [{'customers_affected': '2.8 billion weekly package '
'downloads',
'industry': 'software development',
'name': 'NPM (Node Package Manager)',
'type': 'package registry'},
{'industry': 'software development',
'name': "Josh Junon (aka 'qix')",
'type': 'individual developer'},
{'industry': 'software development',
'name': 'Four additional unnamed NPM developers',
'type': 'individual developers'}],
'attack_vector': ['phishing email',
'spoofed domain (npmjs[.]help)',
'malicious link',
'cloned login page'],
'data_breach': {'sensitivity_of_data': ['high (account takeover risk)'],
'type_of_data_compromised': ['developer credentials (NPM '
'account access)']},
'date_detected': '2025-09-08',
'description': 'Threat actors compromised multiple high-profile NPM developer '
'accounts through a sophisticated phishing campaign, inserting '
'malicious code (JavaScript clipper) into 20 popular NPM '
'packages with nearly 2.8 billion weekly downloads. The '
'malware diverted cryptocurrency transactions to '
'attacker-controlled wallets. The incident was contained after '
'remediation efforts reverted packages to clean versions and '
'secured affected developer accounts.',
'impact': {'brand_reputation_impact': ['erosion of trust in NPM ecosystem '
'security'],
'data_compromised': ['developer credentials (NPM accounts)'],
'identity_theft_risk': ['developer account takeover'],
'operational_impact': ['malicious code distribution via 2.8B '
'weekly package downloads',
'cryptocurrency transaction interception'],
'payment_information_risk': ['cryptocurrency wallet address '
'replacement (BTC, ETH, SOL, TRX, '
'LTC, BCH)'],
'systems_affected': ['20 NPM packages',
'developer accounts (including Josh Junon aka '
"'qix')"]},
'initial_access_broker': {'backdoors_established': ['malicious JavaScript '
'clipper in 20 NPM '
'packages'],
'entry_point': ['phishing email to NPM developers'],
'high_value_targets': ['NPM developer accounts '
'(e.g., Josh Junon)']},
'investigation_status': 'Resolved (packages reverted, accounts secured, IoCs '
'published)',
'lessons_learned': ['Human element remains the most reliable attack vector in '
'sophisticated ecosystems.',
'Standard email authentication (SPF/DKIM/DMARC) is '
'insufficient against advanced phishing.',
'Multi-layered email security (behavioral analysis, '
'domain reputation, threat intelligence) is critical for '
'supply chain defense.',
'Urgency-based social engineering tactics are highly '
'effective against developers.'],
'motivation': ['financial gain (cryptocurrency theft)',
'supply chain disruption'],
'post_incident_analysis': {'corrective_actions': ['Deployment of advanced '
'email protection (e.g., '
'Group-IB BEP).',
'Reversion of compromised '
'NPM packages to clean '
'versions.',
'Publication of IoCs for '
'industry-wide threat '
'detection.'],
'root_causes': ['Successful phishing campaign '
'exploiting urgency and spoofed '
'NPM support domain.',
'Inadequate email security '
'controls (reliance on '
'SPF/DKIM/DMARC without behavioral '
'analysis).',
'Human vulnerability to social '
'engineering tactics.']},
'recommendations': ['Implement advanced email protection solutions (e.g., '
'Group-IB BEP) with behavioral analysis.',
'Enhance developer security training for phishing and '
'social engineering.',
'Monitor for newly registered domains spoofing legitimate '
'services.',
'Enforce multi-factor authentication (MFA) with '
'phishing-resistant methods (e.g., hardware keys).',
'Conduct regular audits of package integrity in supply '
'chains.'],
'references': [{'source': 'Group-IB Threat Intelligence Report'},
{'source': 'GBH News Article (September 2025)'}],
'response': {'communication_strategy': ['publication of indicators of '
'compromise (IoCs) via Group-IB '
'Threat Intelligence platform'],
'containment_measures': ['reverted compromised NPM packages to '
'clean versions',
'secured affected developer accounts'],
'enhanced_monitoring': ['Group-IB Business Email Protection '
'(BEP) for advanced phishing detection'],
'incident_response_plan_activated': True,
'third_party_assistance': ['Group-IB (threat intelligence and '
'analysis)']},
'stakeholder_advisories': ['Group-IB Threat Intelligence platform updates'],
'title': 'Large-Scale NPM Ecosystem Compromise via Phishing Campaign '
'(September 2025)',
'type': ['supply chain attack',
'phishing',
'malware injection',
'credential harvesting',
'cryptocurrency theft'],
'vulnerability_exploited': ['human error (urgency-induced credential entry)',
'lack of advanced email protection',
'domain spoofing bypassing SPF/DKIM/DMARC']}