In the latest high profile supply chain attack, malicious code was snuck in to popular npm packages — affecting over 2 billion weekly downloads. The first one featured Josh Junon, a legendary hackermancer of the developer community better known to many of you as Qix. Unfortunately, he fell prey to a phishing scam that masqueraded as legitimate communication from npm. On both fronts, the attack lays bare dangerous deficiencies within our software supply chains. It further highlights alarming questions about the security of extremely popular open source packages.
On September 10, 2025, Qix received an email from an address that appeared to be affiliated with npm, urging him to update his two-factor authentication (2FA) credentials. The email—incoming from “support@npmjs[.]help”—included an embedded link that redirected users to a phishing page. This page tricked him into entering his username, password, and 2FA token. In this case, the stolen credentials were likely obtained as a result of an adversary-in-the-middle (AitM) attack.
Scope of the Attack
The repercussions of this breach are significant. The attackers used these stolen credentials to publish a malicious version of popular packages to the npm registry. Among the 20 vulnerable packages are popular libraries like ansi-regex@6.2.1, chalk@5.6.1, debug@4.4.2, and supports-color@10.2.1. Additionally, the attack spread to duckdb_admin, affecting packages such as @duckdb/duckdb-wasm@1.29.2 and duckdb@1.3.3.
According to the report, it’s the size of these packages’ downloads that makes this breach so scary. Combined, they pull in over 2 billion downloads per week. With this enormous reach, their actions affect millions of developers and enterprise end users who rely on these applications.
Financial Implications
The financial impact from this breach is still being determined. As per first reports, the attackers were able to siphon at least $600. They then focused on cryptocurrency wallets associated with the malicious version of the packages. Of this total, $429 was found to have originated from Ethereum transactions. This theft is part of a broader trend in which malicious actors leverage trusted packages in order to profit from their illicit activities.
Ilkka Turunen, a security expert, commented on the broader implications of this attack:
“What we are seeing unfold with the npm packages chalk and debug is an unfortunately common instance today in the software supply chain.”
Junon expressed remorse for not recognizing the potential threat sooner:
“The malicious payload was focused on crypto theft, but this takeover follows a classic attack that is now established – by taking over popular open source packages, adversaries can steal secrets, leave behind backdoors and infiltrate organizations.”
Responses and Future Considerations
He acknowledged the stressful week and committed to rectifying the situation:
“Sorry everyone, I should have paid more attention.”
Security experts from Socket have indicated that the malicious code acts as a browser-based interceptor that hijacks network traffic and application APIs to steal cryptocurrency assets by rewriting requests and responses:
“Not like me; have had a stressful week. Will work to get this cleaned up.”
Finally, they reminded the committee that developers are not the primary targets of this kind of malware. They remain susceptible if they browse compromised websites while logged in to their cryptocurrency wallets.
“The payload begins by checking typeof window !== ‘undefined’ to confirm it is running in a browser.”
They noted that while developers are not the primary targets of this malware, they can become victims if they access affected sites while connected to their cryptocurrency wallets.