S10kSep 8, 2025
infowski
OK, so... Another day, another npm malware.
Seems like https://www.npmjs.com/package/debug version 4.4.2 has just been pushed out with a payload that seems like a ~~cryptominer installer~~ cryptostealer. Looking at weekly downloads... This... is bad.
debug

Lightweight debugging utility for Node.js and the browser. Latest version: 4.4.1, last published: 4 months ago. Start using debug in your project by running `npm i debug`. There are 55284 other projects in the npm registry using debug.

npm
Sep 8, 2025 at 1:33pmWeb
Show threadinfowskiSep 8, 2025
https://github.com/debug-js/debug/issues/1005 Looking at referenced issues - seems like a bigger campaign.
(RESOLVED) Version 4.4.2 published to npm is compromised · Issue #1005 · debug-js/debug

MESSAGE FROM @Qix- : PLEASE SEE #1005 (comment) FOR LATEST UPDATES. Version not present in this repo has been pushed out to npm. https://www.npmjs.com/package/debug/v/4.4.2?activeTab=code src/index...

GitHub
Show threadClaudiaSep 8, 2025
@informatic error-ex, too! https://jdstaerk.substack.com/p/we-just-found-malicious-code-in-the
Anatomy of a Billion-Download NPM Supply-Chain Attack

A massive NPM supply chain attack has compromised foundational packages like Chalk, affecting over 1 billion weekly downloads. We dissect the crypto-stealing malware and show you how to protect your projects immediately.

Observations
Show threadClaudiaSep 8, 2025
@informatic Possibly the same actor?
Show threadClaudiaSep 8, 2025
@informatic definitely a campaign https://github.com/debug-js/debug/issues/1005#event-3251156053
Show threadrarSep 8, 2025
@informatic looks like the infected version just got pulled from npm
Show threadrarSep 8, 2025
@informatic also going through that pile of xor it seems like a crypto clipper
Show threadrarSep 8, 2025

@informatic also that npm contributor seems to have been hit with an infostealer well over a year ago

which was just enough to get into a public database, but that could also be a coincidence