Kevin BeaumontSep 8, 2025

Malicious javascript compromise on npmjs.com

These packages, about a billion downloads prior

supports-hyperlinks
chalk-template
simple-swizzle
slice-ansi
error-ex
is-arrayish
wrap-ansi
backslash
color-string
color-convert
color
color-name

Thread follows.

Show threadKevin BeaumontSep 8, 2025
Example change and download stats on one of the 12 packages changed, incident started about 2 hours ago.
Show threadKevin BeaumontSep 8, 2025
Example copy of one of the inserted JS: https://pastebin.com/bwLZrq02
Malicious JS in NPM libraries - Pastebin.com

Pastebin.com is the number one paste tool since 2002. Pastebin is a website where you can store text online for a set period of time.

Pastebin
Show threadKevin BeaumontSep 8, 2025
Just reported to NPM, they work on it.
Show threadKevin BeaumontSep 8, 2025
Derek's caught it too https://infosec.exchange/@derekheld/115169311485030806
derekheld (@[email protected])

A bunch of packages published by qix in NPM just got backdoored it looks like. Obfuscated code was added like two hours ago. #threatintel #npm

Infosec Exchange
Show threadKevin BeaumontSep 8, 2025
It's a cryptocurrency wallet drainer, RIP a load of devops dudes crypto.
Show threadMatthew Booth
@GossiTheDog How do you drain a crypto wallet with JavaScript?
Sep 8, 2025 at 5:04pmWeb
Show threadCassandrichSep 8, 2025
@mattb @GossiTheDog node is a platform for running javascript as a language on the host with system bindings, rather than in a sandboxed-to-domain browser context.
Show threadBernard QuatermassSep 8, 2025
@dalias @mattb @GossiTheDog or it’s both. I only write it for in-browser use.
Show threadDaveySep 8, 2025

@mattb @GossiTheDog

Affected websites would largely run fine but if they were handling crypto transactions, the request is altered to the benefit of the attackers, sending funds to their wallet instead.

JavaScript let's you redefine standard features, and the malicious script redefines fetch, which is the standard function for calling URLs