NPM Supply-Chain Attack: What Happened and How to Fix It

The cryptocurrency industry and the world at large recently experienced a jumpscare when security experts identified a supply-chain attack targeting the Node.js ecosystem that had already compromised as many as 18 npm packages.

That’s because these few packages see billions of downloads per week.

Software packages are used to distribute third-party software. Often pulled from an external source through a package manager, they usually include source code, libraries, documentation, and other files required to build and run the software.

Now, a package containing malware disguises itself as a legitimate one, when in fact it is a malicious one with the intention of infecting software. Upon entering a system, the malware in the malicious package can modify files, steal data, and even take over an entire system to do as the attacker wishes.

While other major open source ecosystems like Python and .NET are just as vulnerable to attacks, the wide usage of JavaScript makes it particularly exposed to cybercriminals.

Node.js is an open-source runtime environment built on top of JavaScript that enables developers to execute their code outside the web browser. 

Traditionally, the interpreted programming language mainly known for helping make web pages interactive was primarily used for client-side web development within browsers, but Node.js extended JavaScript’s use to server-side and other applications.

With Node.js, developers can build fast and scalable applications like web servers, APIs, tools, and more.

It benefits from a vast ecosystem of open-source libraries and tools available through npm, which simplifies development and provides solutions for various functionalities.

Node Package Manager, or npm, is a key tool in JavaScript development, which is used to find, build, and manage code packages. It helps in handling dependencies, enabling collaboration, and streamlining workflows. 

This world’s largest Software Registry contains over 3 million code packages and is completely free to use. 

Anyone can download all npm public software packages without needing to register. Open-source developers use npm to share and borrow software, while many organizations use it to manage private development.

In order to install npm on your computer, you must install Node.js first.

The package manager for JavaScript is maintained by npm, Inc., a subsidiary of GitHub, the world’s leading software development platform, which has been owned by Microsoft since 2018, when the tech giant acquired it for $7.5 billion to empower developers. 

Last week, the tool on which more than 17 million developers worldwide rely was compromised, creating panic on the Internet, though only for a short moment, as experts caught it early on, and attackers couldn’t steal more than $50. Here’s what happened!

What Happened in the NPM Supply-Chain Attack (Sept 2025)

In the massive supply chain attack that took place on the JavaScript ecosystem, hackers compromised a series of npm packages with malware. The aim behind the attack was to steal digital assets from unsuspecting users. 

In particular, the npm account of developer ‘qix’ was hacked. 

Qix is an open source maintainer account that was compromised by a phishing attack. This allowed attackers to infect 18 popular npm packages with malicious code. Together, these packages are downloaded hundreds of millions of times just on a weekly basis as they are embedded in frameworks, developer tooling, and production services.

The packages affected include chalk, debug, color-name, wrap-ansi, and ansi-styles, which are some of the most popular ones, with less popular npm packages affected being backslash, chalk-template, and has-ansi.
Swipe to scroll →

All the packages that were affected have since been removed by the npm registry. By compromising a high-value open-source maintainer, the attack has weaponized the trust in the open-source software (OSS) ecosystem, as developers do not audit every dependency they use. What they do is rely on their usage and reputation, as well as the registries’ security.

In order to compromise the packages, the hacker took the phishing route. The attacker first launched a phishing campaign to hijack the account of an npm package maintainer, then injected their malicious code into npm packages before uploading their compromised versions.

Developer Josh Junon was the one who fell victim to a phishing email that was part of a larger campaign that imitated npm. So, the attackers used a phishing site that mimicked npm’s login page to steal his credentials. And as soon as the attackers got in, they locked Junon out by changing the email address on file for Junon’s npm account.

“Hi, yep I got pwned. Sorry everyone, very embarrassing,” wrote Junon on HackerNews, confirming the incident. He explained before clarifying that only npm was affected:

“Looked legitimate at first glance. Not making excuses, just had a long week and a panicky morning and was just trying to knock something off my list of to-dos. Made the mistake of clicking the link instead of going directly to the site.” 

The phishing email came from support [at] npmjs [dot] help and used a scare tactic to get Junon to click on the link, which redirected him to the phishing site.

Pretending to be from npm, the attackers asked him to update his 2FA credentials, claiming to be part of an “ongoing commitment to account security,” and that they are requesting the same from all users. 

“Our records indicate that it has been over 12 months since your last 2FA update,” stated the phishing email, adding that those with “outdated 2FA credentials will be temporarily locked starting September 10, 2025, to prevent unauthorized access.”

The same email was also used to target other package maintainers and developers.

Given the wide usage of affected packages, this could have become a major incident if it hadn’t been handled so quickly.

As Charlie Erickson of Aikido Security noted in a report, countless websites avoided very serious damage from this attack, where the npm packages contained a piece of code that would execute on a website’s client.

“This malware is essentially a browser-based interceptor that hijacks both network traffic and application APIs,” he stated in his attack analysis. “What makes it dangerous is that it operates at multiple layers: Altering content shown on websites, tampering with API calls, and manipulating what users’ apps believe they are signing. Even if the interface looks correct, the underlying transaction can be redirected in the background.”

The malicious code was designed to steal crypto. The attacker scans strings for crypto wallet addresses, putting those working on crypto-related applications at risk.

The malware worked quietly within the browser without the user knowing, rewriting wallet addresses and redirecting funds to accounts that are controlled by the attacker. It directly hijacks and manipulates transactions across Bitcoin (BTC -0.24%), Ethereum (ETH +2.92%), Solana (SOL -0.55%), Tron (TRX -0.08%), Litecoin (LTC +3.38%), and Bitcoin Cash (BCH -0.29%) on a compromised system.

To do this, the malicious code monitored browser application programming interfaces like fetch and wallet interfaces like window.ethereum.

The malicious code “silently intercepts crypto and Web3 activity in the browser, manipulates wallet interactions, and rewrites payment destinations so that funds and approvals are redirected to attacker-controlled accounts without any obvious signs to the user,” said Erickson.

Once finished, the malware covers its tracks while still keeping in the background to catch any future transactions on the unsuspecting victim’s network.

Given the severity of the attack, Charles Guillemet, the CTO at hardware wallet provider Ledger, warned crypto users to be cautious when confirming on-chain transactions. The affected packages, he noted in the post, have already been downloaded over 1 billion times. 

The large-scale supply chain attack, he shared with the community, is targeting crypto software wallets with the malicious payload “silently swapping crypto addresses on the fly to steal funds.” 

“If you use a hardware wallet, pay attention to every transaction before signing and you’re safe. If you don’t use a hardware wallet, refrain from making any on-chain transactions for now.”

– Guillemet

Meanwhile, 0xngmi, the pseudonymous founder of DefiLlama, a crypto analytics platform, took to X, to share that “the effective impact area is much smaller than “all websites”‘, as only those projects may be at risk that were updated after the malware-infected npm package was published. Still, “it’s just safer to avoid using crypto websites till this blows over and they clean up the bad packages,” he added.

In the end, hackers were only able to steal $50 worth of cryptocurrency from such a massive supply chain attack. The $50 involves Ether and a bunch of meme coins like Brett and Andy, among others.

However, it was more luck than anything as crypto intelligence platform Security Alliance noted on X:

“This could’ve been much worse. A stealthily deployed backdoor that targeted developer machines with a focus on persistence could have stayed under the radar for who knows how long.”

Since then, many crypto applications such as Aave, Uniswap, Ledger, Jupiter, MetaMask, Phantom, Blast, and others have notified their audiences that they are safe from the npm attack.

While the attack has failed, it is a stark reminder for developers that, for utmost security, they have to go beyond their own codebase. Even software dependencies that have been trusted and widely used can also be compromised at any time.

Here, coding platforms like GitHub and npm also need to do more to ensure the safety of broadly used packages.

“More popular packages should require attestation that they came through trusted provenance and not just randomly from some location on the Internet.”

– Eriksen

Compromises of code repository, after all, can be extremely disastrous for developers, who may end up abandoning their whole projects entirely as a result of such an incident.

The incident is a testament to just how interconnected and vulnerable today’s software ecosystem is to exploitation. A single compromised account can provide attackers with a massive reach, making it critical to implement improved supply chain security measures at every step of the development process.

Safeguarding Against the Fast-Rising Threat of Malware 

With malware threats on the rise and the attacks becoming more advanced and targeted, it is important for users to be educated and always be vigilant across all platforms.

Malicious software or malware is actually one of the most common types of cyberattacks. Here, attackers develop a software code or computer program with the intention to gain access or cause damage to the victim’s computer without the victim knowing that they have been compromised. 

Every year, billions of malware attacks happen all over the world on all kinds of devices and operating systems. Using malware, cybercriminals hold not just devices but entire enterprise networks hostage.

By gaining unauthorized access to the victim’s devices, attackers steal digital assets and sensitive data, including login credentials, credit card numbers, and other valuable information. Malware attacks are increasingly targeting businesses due to companies holding significant amounts of personal data, which hackers can exploit to extort large sums of money. 

Data shows that the majority (59%) of organizations were subject to such an attack in 2024. Even smaller companies aren’t safe, with 47% of them hit by ransomware last year. Meanwhile, the average ransom payment surged by 500% to $2 million during this time. 

The average cost of recovery from a malware attack has also climbed as high as $2.73 million. One of the biggest threats the Internet currently faces is malware, which can take various forms with the sole purpose of harming computer systems and their users.

Viruses, ransomware, trojans, worms, spyware, adware, and crypto-jacking are all different types of malware. All of these are designed to gain unauthorized access to a network or damage computer systems.

When it comes to the root causes of attacks, the biggest one at 32% is attackers exploiting vulnerabilities, followed by compromised credentials (29%) and then malicious emails (23%). 

Now, just how can one prevent oneself from this ever-present threat? The first and simplest step is to always keep your computer and software up to date. Also, it’s critical that you don’t go around clicking on just about anything on the Internet. Especially as a crypto user, one must be suspicious of links and absolutely do not download anything you’re not sure about.

The same goes for any email attachments. Be wary of opening suspicious emails and try to keep your file-sharing to a minimum. It’s prudent to have antivirus software installed on your device.

While inevitable, organizations can also prepare themselves against malware attacks by strengthening their defenses. The most straightforward ways to do this are by using strong passwords, multi-factor authentication, and VPNs, which individuals can also use to protect themselves more effectively.

Organizations need to constantly monitor devices for signs of suspicious activity, assess any vulnerabilities, and perform penetration testing. Backups of sensitive data on drives disconnected from the network, meanwhile, will help in recovery from malware attacks.

Employees need to be trained to spot such attacks better and respond quickly by having incident response plans and knowing who to contact upon suspecting a malware threat.

By utilising the zero trust network architecture, companies can ensure that no one can get access to data or assets that they shouldn’t. In zero trust, users are never trusted and always verified.

In today’s hyper-digital life, these practices can help one safeguard oneself against the perils of an increasingly interconnected world.

When it comes to protecting oneself from malicious packages, the general malware security recommendations also apply to npm attacks, but of course, there are additional, specific precautions one should also take due to the ecosystem being particularly vulnerable because of its open nature, heavy reuse of small packages, and large dependency trees.

To protect yourself from this serious threat, you must always double-check that the package is reliable before installing it. Verifying the package integrity will ensure that your dependency tree hasn’t been tampered with. 

When looking for signs of illegitimacy, besides the source and ownership of the package, examine any changes made to the maintainers. You may also want to look into what packages do and the need for them.

Use security tools that continuously monitor for new threats and provide actionable advice to mitigate the situation. npm audit checks can be run for known vulnerabilities in the project’s dependencies. Implementing automated security scans before deployment, meanwhile, will make sure that only reviewed and approved code gets into production.

Now, to protect yourself from the latest malware attack, you need to pin affected packages to their safest versions before the compromise through the overrides feature in package.json. 

Run npm audit or use software composition analysis (SCA) tools to check for affected versions in your dependency tree. Monitor for any Indicators of Compromise (IoCs) by checking your build logs, developer environments, and outbound traffic for suspicious activity.

Click here for a list of top five companies that fought back against cyberattacks.

Final Thoughts: Hardening Open-Source Dependencies

The threats on the internet are constantly rising and getting more sophisticated. 

With attackers turning to new attack vectors and targeting under-resourced projects, it is becoming crucial for developers, enterprises, and users not to wait for the threat to appear before acting, but to take proactive measures because one weak link can take down an entire system. 

It is by staying informed about emerging threats and continuously auditing software supply chains and monitoring threats that we can truly safeguard ourselves against the ever-evolving cyber risks.

Click here for a list of top five public companies that paid off cyber attackers.