Home / The Largest npm Supply Chain Attack: What Happened, Impact, and How to Respond

The Largest npm Supply Chain Attack: What Happened, Impact, and How to Respond

Ng S.T. Chong

On September 8, 2025, the JavaScript ecosystem faced its most significant supply chain compromise to date – 18 popular JavaScript code packages were compromised by a phishing attack in an attempt to spread crypto malware to billions of victims. This incident affected packages with over 2 billion weekly downloads, demonstrating the catastrophic potential of supply chain attacks in our interconnected digital infrastructure.

Critical Point: This attack affects ALL JavaScript developers and applications, regardless of cryptocurrency involvement. The malware payload specifically targeted crypto transactions, but the attack demonstrates a vulnerability that extends to every JavaScript project.

The Attack Vector: A Sophisticated Phishing Campaign

The compromise began with a meticulously crafted phishing operation targeting Josh Junon, the maintainer of critical npm packages including chalk and debug. The phishing email appeared to come from a legitimate email address linked to npmjs.com, support[at]npmjs[dot]help, complete with official-looking branding, but which was in fact malicious.

What made this attack particularly dangerous was its preparation. The malicious infrastructure was established days before the actual phishing attempt, indicating coordinated planning rather than opportunistic hacking. The attacker successfully tricked Junon into entering his credentials on a fraudulent npm support portal, which included a 2FA reset process that appeared entirely legitimate.

Once access was gained, the attacker moved swiftly to inject malicious code across all 18 packages under Junon’s control, pushing updates that would be automatically pulled by millions of applications worldwide.

Compromised Packages and Their Massive Reach

The attack targeted fundamental building blocks of the JavaScript ecosystem. In total, the packages represent more than 2 billion downloads every week. The affected packages included:

The attack targeted fundamental building blocks of the JavaScript ecosystem. In total, the packages represent more than 2 billion downloads every week. The affected packages included:

  • ansi-styles (371.41 million)
  • debug (357.6 million)
  • chalk (299.99 million)
  • supports-color (287.1 million)
  • strip-ansi (261.17 million)
  • ansi-regex (243.64 million)
  • wrap-ansi (197.99 million)
  • color-convert (193.5 million)
  • color-name (191.71 million)

Medium-Impact Packages (10M+ weekly downloads):

  • slice-ansi (59.8 million)
  • error-ex (47.17 million)
  • color-string (27.48 million)
  • simple-swizzle (26.26 million)
  • supports-hyperlinks (19.2 million)
  • has-ansi (12.1 million)

Additional Affected Packages:

  • chalk-template (3.9 million)
  • is-arrayish (73.8 million)
  • backslash (0.26 million)

These packages serve as dependencies for virtually every major JavaScript framework, build tool, and application, creating an attack surface that spans the entire ecosystem.

The Malware: A Multi-Layer Browser Interceptor

The packages were updated to contain a piece of code that would be executed on the client of a website, which silently intercepts crypto and web3 activity in the browser, manipulates wallet interactions, and rewrites payment destinations so that funds and approvals are redirected to attacker-controlled accounts without any obvious signs to the user.

This malware is essentially a browser-based interceptor that hijacks both network traffic and application APIs. It injects itself into functions like fetch, XMLHttpRequest, and common wallet interfaces, then silently rewrites values in requests and responses.

The sophisticated nature of this malware made it particularly dangerous:

Network Layer Manipulation:

  • Intercepted HTTP requests and responses
  • Modified API endpoints and payloads in real-time
  • Operated transparently to both users and applications

Wallet Interface Hijacking:

  • Hooked into popular Web3 wallet libraries
  • Replaced transaction recipients with attacker-controlled addresses
  • Maintained the appearance of legitimate transactions in user interfaces

Multi-Chain Cryptocurrency Targeting:

  • Supported multiple blockchain networks
  • Automatically detected and redirected various cryptocurrency transactions
  • Designed to steal both direct payments and token approvals

Rapid Detection and Response

The attack was contained remarkably quickly thanks to automated monitoring systems. Soon after their code was altered, cyber security firm Aikido started receiving alerts regarding the corrupted packages and began an investigation after alerting the maintainer.

The response timeline was critical:

  1. Minutes after publication: Aikido’s systems detected the malicious updates
  2. Within 5 minutes: The maintainer was notified
  3. Within hours: Most compromised packages were removed from npm
  4. Ongoing: Community-wide security audits and remediation efforts

However, the rapid response highlighted both the effectiveness of modern security monitoring and the razor-thin margin for error in supply chain security.

Actual Impact vs. Potential Catastrophe

While the attack was designed to steal cryptocurrency on a massive scale, the largest supply chain attack stole 5 cents in actual damages due to the swift response. This minimal financial impact, however, masks the enormous potential for destruction had the attack gone undetected for days or weeks.

Potential Consequences Avoided:

  • Millions of compromised applications across the web
  • Mass theft from cryptocurrency wallets and DeFi protocols
  • Complete compromise of Web3 application security
  • Erosion of trust in the entire npm ecosystem
  • Cascading security failures across business-critical systems

The incident serves as a stark reminder that the JavaScript supply chain operates with minimal safety margins, where hours or even minutes of exposure can determine the difference between a contained incident and a global catastrophe.

Comprehensive Remediation Strategy

Immediate Actions (Do Now)

1. Inventory and Audit

bash

# Check for compromised packages in your dependencies
npm audit --audit-level moderate
npm ls | grep -E "(chalk|debug|ansi-styles|supports-color|strip-ansi|color-convert|wrap-ansi|ansi-regex|color-name|slice-ansi|error-ex|color-string|simple-swizzle|supports-hyperlinks|has-ansi|chalk-template|is-arrayish|backslash)"

2. Complete Environment Cleansing

bash

# Remove all node_modules and lock files
rm -rf node_modules package-lock.json yarn.lock
# Reinstall from clean sources
npm install
# Or for yarn users
yarn install

3. Version Pinning and Lock File Regeneration

  • Pin all affected packages to known-safe versions
  • Generate new lock files after verification
  • Document specific version selections for audit trails

4. Security Credential Rotation

  • Rotate all API keys, tokens, and secrets that may have been exposed
  • Update environment variables in all deployment environments
  • Review and refresh database connections and service account credentials

Lessons Learned

This breach highlights the outsized impact supply chain attacks can have on global software ecosystems. Attackers exploited a single credential to reach millions of users, bypassing code review and technical defenses by merely tricking a trusted maintainer. As open-source grows, security practices and community vigilance must keep pace.

For every developer, organization, or business dependent on npm: the lesson is clear – Audit, update, and defend. Supply chain risks are no longer theoretical. They’re here, and next time could be worse.

References

https://www.cyberdaily.au/security/12611-18-popular-javascript-code-packages-hacked-to-spread-malware

https://medium.com/@_jaydeepkarale/largest-npm-hack-in-history-f953acf82b76

https://www.aikido.dev/blog/npm-debug-and-chalk-packages-compromised