Cybersecurity: Compromise of Popular npm Packages
On September 8, 2025, a significant supply chain attack was identified, targeting 18 popular npm packages. These packages collectively account for over two billion downloads each week. The attack involved the insertion of malicious code designed to redirect cryptocurrency transactions to attacker-controlled accounts.
Technical Details
The affected packages include commonly used libraries such as chalk, debug, ansi-styles, and supports-color. The malicious code was included in new versions of these packages and executes on the client-side of websites utilizing them.
The malware functions as an in-browser interceptor, targeting network traffic and application-level APIs by integrating with core browser functions like fetch and XMLHttpRequest. It also interfaces with popular cryptocurrency wallets for Ethereum, Solana, and other blockchains.
Malware Operation
- Injection and Hooking: The malware embeds itself into the browser environment, hijacking web requests and wallet communications.
- Scanning for Sensitive Data: It monitors network responses and transaction details for cryptocurrency wallet addresses across various blockchains, including Bitcoin, Ethereum, Solana, Tron, Litecoin, and Bitcoin Cash.
- Rewriting Wallet Addresses: Upon detecting a legitimate address, the malware replaces it with a similar-looking address from a hardcoded list owned by the attackers.
- Hijacking Transactions: The code modifies transaction parameters before user authorization, effectively redirecting funds or token approvals to attacker-controlled addresses.
Incident Response
The maintainer of the compromised packages indicated they were deceived by a phishing email from the domain npmjs.help, registered shortly before the attack. As of the report, efforts to remove malicious versions are ongoing, though at least one package, simple-swizzle, remains compromised. Another package, proto-tinker-wc, may also have been affected.
Affected Packages and Versions
| Package | Malicious Version |
|---|---|
backslash |
0.2.1 |
chalk-template |
1.1.1 |
supports-hyperlinks |
4.1.1 |
has-ansi |
6.0.1 |
simple-swizzle |
0.2.3 |
color-string |
2.1.1 |
error-ex |
1.3.3 |
color-name |
2.0.1 |
is-arrayish |
0.3.3 |
slice-ansi |
7.1.1 |
color-convert |
3.1.1 |
wrap-ansi |
9.0.1 |
ansi-regex |
6.2.1 |
supports-color |
10.2.1 |
strip-ansi |
7.1.1 |
chalk |
5.6.1 |
debug |
4.4.2 |
ansi-styles |
6.2.2 |
