Compromised files replace npm packages with a combined 2 billion weekly downloads

News
By published

The "biggest supply chain attack" in the history of npm took place recently

A hacker wearing a hoodie sitting at a computer, his face hidden.
(Image credit: Shutterstock / Who is Danny)
  • Over a dozen popular npm packages were compromised in a phishing-based supply chain attack
  • The malware targeted crypto users by hijacking wallet addresses during transactions
  • Some called it the most widespread npm compromise to date, affecting 2 billion weekly downloads

More than a dozen npm packages with two billion downloads a week were compromised in a supply chain attack that targeted cryptocurrency users.

Researchers at Aikido Security spotted a maintainer account Qix (real name Josh Junon) publishing malicious updates. In less than an hour, multiple versions were uploaded, and soon after Junon himself confirmed the attack and apologized for the mess,

“Yep, I’ve been pwned. 2FA reset email, looked very legitimate,” Junon wrote on Bluesky, confirming that the breach started with a convincing phishing email.

Targeting crypto users

“Only NPM affected, I’ve sent an email off to @npmjs.bsky.social to see if I can get access again. Sorry everyone, I should have paid more attention. Not like me; have had a stressful week. Will work to get this cleaned up,” he stressed, showing how even the most careful people can get hit if they lower their guard.

According to The Hacker News, this is the list of 20 compromised packages, cumulatively counting 2 billion weekly downloads:

  • ansi-regex@6.2.1
  • ansi-styles@6.2.2
  • backslash@0.2.1
  • chalk@5.6.1
  • chalk-template@1.1.1
  • color-convert@3.1.1
  • color-name@2.0.1
  • color-string@2.1.1
  • debug@4.4.2
  • error-ex@1.3.3
  • has-ansi@6.0.1
  • is-arrayish@0.3.3
  • proto-tinker-wc@1.8.7
  • supports-hyperlinks@4.1.1
  • simple-swizzle@0.2.3
  • slice-ansi@7.1.1
  • strip-ansi@7.1.1
  • supports-color@10.2.1
  • supports-hyperlinks@4.1.1
  • wrap-ansi@9.0.1

At the same time, CyberInsider described it as “the most widespread supply chain compromise in the history of the npm ecosystem.”

The malware being distributed through the packages apparently targeted cryptocurrency users. It is designed to intercept crypto transactions by swapping out the destination wallet address with one controlled by the attackers. Ethereum, Solana, Bitcoin, Tron, Litecoin, and Bitcoin Cash seem to be the chains targeted in this campaign.

Via The Hacker News

You might also like

Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

You must confirm your public display name before commenting

Please logout and then login again, you will then be prompted to enter your display name.