In a significant escalation of supply chain attacks, cybercriminals have compromised 18 widely-used npm packages, collectively accounting for over two billion downloads per week. This attack, initiated on September 8, 2025, involved injecting malicious code designed to steal cryptocurrency from unsuspecting users.
Scope of the Attack
The affected packages include essential libraries such as `chalk`, `debug`, `ansi-styles`, and `supports-color`. These libraries are integral to numerous JavaScript projects, making the impact of this breach extensive. The malicious code was introduced in new versions of these packages and was engineered to execute on the client-side of websites utilizing them.
Mechanism of the Malware
The malware operates as a sophisticated in-browser interceptor, targeting both network traffic and application-level APIs. It achieves this by hooking into core browser functions like `fetch` and `XMLHttpRequest`, as well as interfaces for popular crypto wallets associated with Ethereum, Solana, and other blockchains.
The malicious code functions through a series of steps:
1. Injection and Hooking: The malware embeds itself into the browser environment and takes control of functions related to web requests and wallet communications.
2. Scanning for Sensitive Data: It actively scans network responses and transaction details for patterns matching cryptocurrency wallet addresses across various blockchains, including Bitcoin, Ethereum, Solana, Tron, Litecoin, and Bitcoin Cash.
3. Rewriting Wallet Addresses: Upon identifying a legitimate address, the malware replaces it with a look-alike address from a hardcoded list belonging to the attackers. This substitution is executed using string-matching algorithms to make the swap less noticeable to the user.
4. Hijacking Transactions: The code alters transaction parameters before the user signs them. Consequently, even if the user interface displays the correct recipient address, the signed transaction will route funds or grant token approvals to the attackers.
Method of Compromise
The maintainer of the compromised packages disclosed that they fell victim to a phishing attack. An email, seemingly from npm support, was sent from the domain `npmjs.help`, tricking the developer into revealing their credentials. This domain was registered only three days before the attack on September 5, 2025.
Upon realizing the compromise, the maintainer began efforts to remove the malicious versions of the packages. However, at the time of reporting, at least one package, `simple-swizzle`, remained compromised. The incident also suggested that the same attackers might have compromised another package, `proto-tinker-wc`, using similar methods.
List of Affected Packages and Versions
The following table lists the affected packages and their compromised versions:
| Package | Malicious Version |
|———————–|——————-|
| backslash | 0.2.1 |
| chalk-template | 1.1.1 |
| supports-hyperlinks | 4.1.1 |
| has-ansi | 6.0.1 |
| simple-swizzle | 0.2.3 |
| color-string | 2.1.1 |
| error-ex | 1.3.3 |
| color-name | 2.0.1 |
| is-arrayish | 0.3.3 |
| slice-ansi | 7.1.1 |
| color-convert | 3.1.1 |
| wrap-ansi | 9.0.1 |
| ansi-regex | 6.2.1 |
| supports-color | 10.2.1 |
| strip-ansi | 7.1.1 |
| chalk | 5.6.1 |
| debug | 4.4.2 |
| ansi-styles | 6.2.2 |
Implications and Recommendations
This incident underscores the vulnerabilities inherent in the software supply chain, particularly within open-source ecosystems. Developers and organizations are urged to:
– Audit Dependencies: Regularly review and audit all project dependencies to identify and mitigate potential risks.
– Verify Package Integrity: Utilize tools and practices that verify the integrity of packages before integration into projects.
– Implement Multi-Factor Authentication (MFA): Enhance account security by enabling MFA to protect against unauthorized access.
– Stay Informed: Keep abreast of security advisories and updates from trusted sources to respond promptly to emerging threats.
By adopting these practices, developers can bolster the security of their projects and contribute to the overall resilience of the open-source community.
