A major security incident has hit the JavaScript ecosystem as more than 20 popular npm packages were compromised in a supply chain attack. These packages together are downloaded over 2 billion times every week, making the attack one of the most serious seen in recent years. Well-known libraries like chalk and debug were among the affected, raising concerns across the developer community worldwide.

The attack began on September 8, 2025, when malicious versions of these packages appeared on npm. Security teams quickly confirmed that at least 18 packages were involved, but later reports pushed the number closer to 20. Because these libraries are so widely used and often included as dependencies in other projects, the potential reach of this attack was extremely broad.

Investigations revealed that the attacker gained access to a popular maintainer’s account through a phishing campaign. The phishing emails came from support@npmjs.help, a fake domain designed to look like official npm support. The setup worked as a man-in-the-middle, stealing credentials and bypassing two-factor authentication. With control of the maintainer’s account, the attacker was able to publish malicious updates that spread across the ecosystem within hours.

The code added to the compromised packages was designed to steal sensitive information, especially related to cryptocurrency. Security researchers discovered that the malware acted as a browser interceptor. It hooked into important functions like fetch, XMLHttpRequest, and even crypto wallet providers such as window.ethereum. By doing this, it could monitor blockchain transactions and silently redirect approvals and transfers to attacker-controlled wallets.

The malicious payload was capable of targeting multiple blockchains, including Ethereum, Bitcoin, Solana, Tron, Litecoin, and Bitcoin Cash. This made the attack particularly dangerous, as users interacting with web3 applications could unknowingly lose funds across different networks. What made it worse was that the malware could infect projects even if developers themselves were not working with crypto, simply because these libraries were included as indirect dependencies.

A detailed list of affected packages and versions has been shared by security companies. Some of the confirmed compromised versions include chalk@5.6.1, debug@4.4.2, ansi-styles@6.2.2, supports-color@10.2.1, strip-ansi@7.1.1, ansi-regex@6.2.1, wrap-ansi@9.0.1, slice-ansi@7.1.1, color-convert@3.1.1, color-name@2.0.1, color-string@2.1.1, is-arrayish@0.3.3, simple-swizzle@0.2.3, supports-hyperlinks@4.1.1, chalk-template@1.1.1, error-ex@1.3.3, has-ansi@6.0.1, backslash@0.2.1, and proto-tinker-wc@0.1.87. Developers who unknowingly used these versions may have exposed their applications and users to the attack.

Once the breach was identified, npm and the maintainers quickly acted to remove the malicious versions and replace them with clean releases. Companies like Vercel also cleared cached versions of the affected packages to reduce further risk. Security vendors responded rapidly by issuing advisories, publishing indicators of compromise, and creating detection rules so that organizations could check if they had been affected.

This incident shows how fragile open-source ecosystems can be. A single compromised maintainer account was enough to spread malware across libraries that millions of projects rely on daily. The fact that the attack targeted crypto wallets directly makes it one of the most dangerous npm-related breaches to date. It highlights the growing trend of attackers focusing on open-source supply chains as a way to maximize their reach and impact.

Developers and organizations are now being advised to review their dependency trees carefully. If any of the compromised versions were pulled into a project after September 8, 2025, teams should rebuild their applications with safe versions, check for suspicious code changes, and scan for signs of wallet-related malware. With billions of downloads at risk, this attack serves as a warning that the security of open-source software can never be taken lightly.

Stay alert, and keep your security measures updated!

Source: Follow cybersecurity88 on X and LinkedIn for the latest cybersecurity news