Crims have added backdoors to at least 18 npm packages after developer Josh Junon inadvertently authorized a reset of the two-factor authentication protecting his npm account.
The malware targets cryptocurrency transactions on various blockchains such as Ethereum, Bitcoin, Solana, and Tron.
In posts to Bluesky and GitHub on Monday, Junon acknowledged that a phishing email had duped him, allowing miscreants to take over his account.
“Sorry everyone, I should have paid more attention,” Junon wrote. “Not like me; have had a stressful week. Will work to get this cleaned up.”
The phishing email came from support@npmjs.help rather than npmjs.com, and several other developers have reported receiving a similar message.
Junon (Qix-) on GitHub has contributed to at least 80 npm packages. He identified 18 packages that have been affected. “This appears targeted, or at least with a filter for high downloads,” he wrote. “Many other packages on my account are untouched.”
Charlie Eriksen, security researcher at Aikido Security, said in a blog post that the firm detected the attack on September 8 at 1316 UTC.
“The packages were updated to contain a piece of code that would be executed on the client of a website, which silently intercepts crypto and web3 activity in the browser, manipulates wallet interactions, and rewrites payment destinations so that funds and approvals are redirected to attacker-controlled accounts without any obvious signs to the user,” Eriksen wrote.
The 18 compromised packages include:
* ansi-styles@6.2.2
* debug@4.4.2
* chalk@5.6.1
* supports-color@10.2.1
* strip-ansi@7.1.1
* ansi-regex@6.2.1
* wrap-ansi@9.0.1
* color-convert@3.1.1
* color-name@2.0.1
* is-arrayish@0.3.3
* slice-ansi@7.1.1
* color@5.0.1
* color-string@2.1.1
* simple-swizzle@0.2.3
* supports-hyperlinks@4.1.1
* has-ansi@6.0.1
* chalk-template@1.1.1
* backslash@0.2.1
Together, these packages account for about two billion downloads per week, said Aikido developer and security advocate Mackenzie Jackson in a LinkedIn post, and represent the largest software supply chain attack to date at npm.
Given that substantial install base, it’s likely some applications incorporating those packages were updated to the compromised versions during the approximately two hour period before npm security and other project maintainers started taking the compromised code down. However, it appears the attacker hasn’t yet received any funds from the gambit.
Not all the affected packages appear to have been removed, however. At the time this story was filed, simple-swizzle@0.2.3 was still available.
Open source developer Sindre Sorhus suggests the following command line incantation, which requires the ripgrep search tool, to check whether any compromised packages have been installed:
“`
rg -u –max-columns=80 _0x112fa8
“`
According to ReversingLabs’ 2025 Software Supply Chain Security Report, 14 of the 23 crypto-related malicious campaigns in 2024 (61 percent) involved npm, with the remainder linked to the Python Package Index (PyPI). ®
**Get our** Tech Resources
Crims have added backdoors to at least 18 npm packages after developer Josh Junon inadvertently authorized a reset of the two-factor authentication protecting his npm account.
“Sorry everyone, I should have paid more attention,” Junon wrote.
Junon (Qix-) on GitHub has contributed to at least 80 npm packages.
He identified 18 packages that have been affected.
The 18 compromised packages include:ansi-styles@6.2.2debug@4.4.2chalk@5.6.1supports-color@10.2.1strip-ansi@7.1.1ansi-regex@6.2.1wrap-ansi@9.0.1color-convert@3.1.1color-name@2.0.1is-arrayish@0.3.3slice-ansi@7.1.1color@5.0.1color-string@2.1.1simple-swizzle@0.2.3supports-hyperlinks@4.1.1has-ansi@6.0.1chalk-template@1.1.1backslash@0.2.1Together, these packages account for about two billion downloads per week, said Aikido developer and security advocate Mackenzie Jackson in a LinkedIn post, and represent the largest software supply chain attack to date at npm.
Crims have added backdoors to at least 18 npm packages after developer Josh Junon inadvertently authorized a reset of the two-factor authentication protecting his npm account.
The malware targets cryptocurrency transactions on various blockchains such as Ethereum, Bitcoin, Solana, and Tron.
In posts to Bluesky and GitHub on Monday, Junon acknowledged that a phishing email had duped him, allowing miscreants to take over his account.
“Sorry everyone, I should have paid more attention,” Junon wrote. “Not like me; have had a stressful week. Will work to get this cleaned up.”
The phishing email came from support@npmjs.help rather than npmjs.com, and several other developers have reported receiving a similar message.
Junon (Qix-) on GitHub has contributed to at least 80 npm packages. He identified 18 packages that have been affected. “This appears targeted, or at least with a filter for high downloads,” he wrote. “Many other packages on my account are untouched.”
Charlie Eriksen, security researcher at Aikido Security, said in a blog post that the firm detected the attack on September 8 at 1316 UTC.
“The packages were updated to contain a piece of code that would be executed on the client of a website, which silently intercepts crypto and web3 activity in the browser, manipulates wallet interactions, and rewrites payment destinations so that funds and approvals are redirected to attacker-controlled accounts without any obvious signs to the user,” Eriksen wrote.
The 18 compromised packages include:
- ansi-styles@6.2.2
- debug@4.4.2
- chalk@5.6.1
- supports-color@10.2.1
- strip-ansi@7.1.1
- ansi-regex@6.2.1
- wrap-ansi@9.0.1
- color-convert@3.1.1
- color-name@2.0.1
- is-arrayish@0.3.3
- slice-ansi@7.1.1
- color@5.0.1
- color-string@2.1.1
- simple-swizzle@0.2.3
- supports-hyperlinks@4.1.1
- has-ansi@6.0.1
- chalk-template@1.1.1
- backslash@0.2.1
Together, these packages account for about two billion downloads per week, said Aikido developer and security advocate Mackenzie Jackson in a LinkedIn post, and represent the largest software supply chain attack to date at npm.
Given that substantial install base, it’s likely some applications incorporating those packages were updated to the compromised versions during the approximately two hour period before npm security and other project maintainers started taking the compromised code down. However, it appears the attacker hasn’t yet received any funds from the gambit.
Not all the affected packages appear to have been removed, however. At the time this story was filed, simple-swizzle@0.2.3 was still available.
Open source developer Sindre Sorhus suggests the following command line incantation, which requires the ripgrep search tool, to check whether any compromised packages have been installed:
rg -u --max-columns=80 _0x112fa8
According to ReversingLabs’ 2025 Software Supply Chain Security Report, 14 of the 23 crypto-related malicious campaigns in 2024 (61 percent) involved npm, with the remainder linked to the Python Package Index (PyPI). ®
Get our Tech Resources
