Mobile-Menu

Supply Chain Attack on Npm Repository Attackers Inject Malware into Widely Used Open-Source Packages

By Sebastian Gerstl| Translated by AI 3 min Reading Time

Related Vendors

FAULHABER Drive Systems
Taiwan Machine Tool & Accessory Builders' Association (TMBA)
Wuxi InfiMotion Technology Co., Ltd.

A supply chain attack of immense scale has shaken the JavaScript community: attackers succeeded in injecting malicious code into nearly two dozen popular open-source packages, which collectively receive two billion downloads weekly.

A successful phishing attack has shaken the JavaScript ecosystem. Malware made its way into at least 18 open-source packages distributed via npm, which collectively reach over two million downloads weekly.(Image: freely licensed / Pixabay)
A successful phishing attack has shaken the JavaScript ecosystem. Malware made its way into at least 18 open-source packages distributed via npm, which collectively reach over two million downloads weekly.
(Image: freely licensed / Pixabay)

A large-scale supply chain attack on the npm ecosystem has compromised key components of JavaScript development. More than 20 widely used packages have been infected with malicious code—including Chalk, Debug, ansi-regex, and Strip-ansi. Together, these libraries achieve over two billion downloads per week. This is one of the largest known attacks on the software supply chain in the open-source sector to date.

Targeted Attack On A Co-Maintainer's Two-Factor Authentication

The starting point was a successful phishing attack on developer Josh Junon, known under the pseudonym "Qix." The attackers gained access to his npm account by sending a deceptively authentic email in the name of npm. Under the pretext of a necessary security update, Junon was tricked into revealing his login credentials, including two-factor authentication.

Within a very short time, the attackers used the compromised account to upload manipulated versions of 18 to 20 packages. The malware injected itself into browser environments and specifically monitored network traffic related to cryptocurrency transactions. As soon as a payment was detected, the code stealthily replaced the destination address with a wallet controlled by the attacker.

Targeted Injection of Malicious Code for Covert Cryptocurrency Mining

The attack vector was technically sophisticated. According to an analysis by Aikido Security and Socket, the malware utilized techniques such as "hooking" JavaScript functions like fetch and XMLHttpRequest to deeply integrate itself into web applications. Targeted currencies included Bitcoin, Ethereum, Solana, Tron, Litecoin, and Bitcoin Cash.

The immediate financial damages are so far minimal. According to analyses by Arkham Intelligence, cryptocurrencies worth approximately 500 USD were transferred to the attackers. However, security experts warn that the impact could have been significantly more severe—especially if, instead of crypto diversions, something like remote code execution or ransomware had been implemented.

Notable is the widespread use of the compromised packages. Many of them not only form the foundation of numerous applications but are also deeply nested within other dependencies. The result: even projects that do not directly include the manipulated libraries could be indirectly affected. Socket refers to this as a significant "blast radius."

According to Socket, the following packages were affected by the malware attack:

  • backslash@0.2.1
  • chalk@5.6.1
  • chalk-template@1.1.1
  • color-convert@3.1.1
  • color-name@2.0.1
  • color-string@2.1.1
  • wrap-ansi@9.0.1
  • supports-hyperlinks@4.1.1
  • strip-ansi@7.1.1
  • slice-ansi@7.1.1
  • simple-swizzle@0.2.3
  • is-arrayish@0.3.3
  • error-ex@1.3.3
  • has-ansi@6.0.1
  • ansi-regex@6.2.1
  • ansi-styles@6.2.2
  • supports-color@10.2.1
  • proto-tinker-wc@1.8.7
  • debug@4.4.2

According to an estimate by security researcher Kevin Beaumont, the affected repositories collectively account for over 2.6 billion downloads per week.

Damage aused is Hard to Measure

The incident once again raises fundamental questions about the security of the open-source supply chain. Although all affected versions were removed from the npm repository within hours, the potential damage is hard to quantify given the exponential spread. Developers should immediately check whether they were using affected versions and examine their systems for suspicious activities.

The attack is part of a series of other supply chain incidents. Simultaneously, in a separate attack, GitHub tokens and other authentication data in over 800 repositories were compromised. Additionally, the company Wiz reported on a campaign called "s1ngularity," in which attackers made private organizations' GitHub repositories public to gain access to further data.

The attack highlights that even well-established security measures like two-factor authentication are no guarantee of protection—especially against spear phishing or social engineering attacks. Infrastructures relying on volunteer maintainers are particularly vulnerable, especially when key individuals are targeted. The community faces the challenge of strengthening not only technical but also organizational resilience against targeted social engineering attacks.(sg)

Subscribe to the newsletter now

Don't Miss out on Our Best Content

By clicking on „Subscribe to Newsletter“ I agree to the processing and use of my data according to the consent form (please expand for details) and accept the Terms of Use. For more information, please see our Privacy Policy. The consent declaration relates, among other things, to the sending of editorial newsletters by email and to data matching for marketing purposes with selected advertising partners (e.g., LinkedIn, Google, Meta)

Unfold for details of your consent

Related content