The npm ecosystem was subjected to one of its most significant supply chain attacks to date. A threat actor compromised the account of a prolific open-source maintainer and published malicious versions of 18 popular packages, including chalk and debug. These have been detected and removed in several hours from discovery.
The npm ecosystem was subjected to one of its most significant supply chain attacks to date. A threat actor compromised the account of a prolific open-source maintainer and published malicious versions of 18 popular packages, including chalk and debug. These have been detected and removed in several hours from discovery.
The initial vector was a sophisticated phishing campaign that successfully bypassed two-factor authentication (2FA) to achieve an account takeover. The injected payload was an advanced, client-side crypto-drainer designed to operate stealthily within a user’s browser. It hooked core web and Web3 APIs to intercept and manipulate cryptocurrency transactions across multiple blockchains.
The threat actor registered the phishing domain npmjs[.]help, a clear act of premeditation setting the stage for the attack. The social engineering email created a false sense of urgency, claiming the maintainer is required to update their two-factor authentication. The phishing link directed the victim to a website that was a pixel-perfect replica of the official npmjs.com login page.
The 18 compromised packages are not niche libraries but are foundational utilities that underpin a vast portion of the JavaScript ecosystem. Packages like chalk, debug, ansi-styles, and color-convert are essential for terminal string styling and debugging, making them ubiquitous. The primary risk vector, and the reason for the incident’s scale, is their status as transitive dependencies.
