Several widely used npm-packages (software building blocks) have been infected with malicious code. This happened after a successful phishing attack on one of the administrators of these building blocks. An npm-package is a building block that developers can use in their software so they don’t have to reprogram frequently used components every time. As a result, building blocks end up everywhere: in custom software as well as in standard products. Together, the infected components are downloaded and used more than 2 billion times a week by developers worldwide.

Phishing

The attackers gained access to the repository through a phishing email. The attack targeted Josh Junon (also known as Qix), a developer who is co-manager of several popular packages. Qix has the rights to add and approve new code, making his account sufficient to spread this malware.

Junon received a phishing email that looked very much like it came from npm itself, telling him to renew his two-step authentication (2FA) via a link before Sept. 10, 2025. When he followed this link, he was taken to a fake website where he entered his username, password and 2FA code. This data was immediately intercepted by criminals through a so-called Adversary-in-the-Middle attack, which allowed them to gain access to his account. With that access, the attackers were then able to publish infected versions of twenty popular packages in the official npm library.

On BlueSky , Junon responded, “Sorry everyone, I should have paid more attention. Not like me; have had a stressful week. Will work to get this cleaned up.”

Which packages are affected?

Among others, the following NPM packages contain temporarily malicious code:

• chalk (widely used to display text in color in software tools)

• debug (widely used for debugging)

• ansi-regex, ansi-styles, wrap-ansi, strip-ansi (components that work with text formatting)

• color-convert, color-string, color-name (for color management in software)

Together, these packages account for two billion downloads per week. Because they are often reused as building blocks in other packages, the infection was able to spread widely.

Especially risk for crypo providers

Analysis of the malware revealed that it was designed to steal cryptocurrency. The malicious code began by checking if it was running in a browser, then hooked into functions such as window.fetch, XMLHttpRequest and window.ethereum.request. These are components that websites use to exchange data and control crypto-wallets. This allowed the code to imperceptibly replace the recipient’s wallet address with that of the attacker during a payment, with the forged address resembling the original and therefore barely noticeable.

This type of attack comes under the heading of software supply chain attack. A supply chain attack involves attacking not the end user directly, but a link in the software supply chain. Similar attacks have been seen before, for example through typosquatting (offering a package with a nearly the same name as a popular package) or through slopsquatting (capitalizing on mistakes made by AI systems that recommend incorrect package names).

In this case, the malware specifically targets developers offering crypto-related services, so most software is unlikely to be affected even if it is infected.