https://www.sonatype.com/blog/npm-chalk-and-debug-packages-hit-in-software-supply-chain-attack
Cybercriminals have executed what security researchers are calling the largest npm supply chain attack in history, compromising 18 highly popular JavaScript packages that collectively receive over 2 billion downloads per week and injecting sophisticated malware designed to steal cryptocurrency and hijack web3 transactions. The attack, discovered on 8th September 2025, targeted fundamental development tools including chalk (300 million weekly downloads), debug (358 million downloads), and ansi-styles (371 million downloads), packages that are deeply embedded in the JavaScript ecosystem and used by millions of developers worldwide.
The compromise was achieved through a sophisticated social engineering attack against the maintainer known as “qix,” who received a convincing phishing email appearing to come from npm support warning about outdated two-factor authentication credentials and threatening account lockout. The phishing message directed the victim to a fake npm login page where they entered their credentials and 2FA token, providing attackers with full access to publish malicious versions of all packages under qix’s control. The injected malware was designed to execute on client websites, silently intercepting cryptocurrency transactions and web3 interactions to redirect funds to attacker-controlled wallets.
Security researchers from multiple organizations including Wiz, Aikido Security, and Sonatype rapidly detected and reported the malicious packages, leading to their removal within approximately two hours of publication. Despite the brief exposure window, the attack’s potential impact was enormous given the widespread usage of these foundational packages across the JavaScript ecosystem, with some estimates suggesting the malicious code reached nearly 99% of environments that use these packages during the exposure period. The incident highlights critical vulnerabilities in software supply chain security, particularly the concentration of trust in individual maintainers of widely-used open source packages, and has prompted discussions about implementing stronger authentication requirements, automated malware detection, and better isolation of package publishing capabilities to prevent similar large-scale compromises in the future.