Kevin BeaumontSep 8, 2025

Malicious javascript compromise on npmjs.com

These packages, about a billion downloads prior

supports-hyperlinks
chalk-template
simple-swizzle
slice-ansi
error-ex
is-arrayish
wrap-ansi
backslash
color-string
color-convert
color
color-name

Thread follows.

Show threadKevin BeaumontSep 8, 2025
Example change and download stats on one of the 12 packages changed, incident started about 2 hours ago.
Show threadKevin BeaumontSep 8, 2025
Example copy of one of the inserted JS: https://pastebin.com/bwLZrq02
Malicious JS in NPM libraries - Pastebin.com

Pastebin.com is the number one paste tool since 2002. Pastebin is a website where you can store text online for a set period of time.

Pastebin
Show threadKevin BeaumontSep 8, 2025
Just reported to NPM, they work on it.
Show threadKevin BeaumontSep 8, 2025
Derek's caught it too https://infosec.exchange/@derekheld/115169311485030806
derekheld (@[email protected])

A bunch of packages published by qix in NPM just got backdoored it looks like. Obfuscated code was added like two hours ago. #threatintel #npm

Infosec Exchange
Show threadKevin BeaumontSep 8, 2025
It's a cryptocurrency wallet drainer, RIP a load of devops dudes crypto.
Show threadKevin BeaumontSep 8, 2025
NPM on it, some packages nuked, more being nuked
Show threadKevin BeaumontSep 8, 2025

If you want an idea of scale of trojan attempt - 'color' alone had 32m downloads in a week, the combined attempt was pushing a billion due to upstream dependencies.

Hunt tip: look for registry.npmjs.org in proxy logs, package names are in the URLs.

Show threadKevin BeaumontSep 8, 2025

additional backdoored packages

ansi-styles
debug
chalk
supports-color
strip-ansi
ansi-regex
has-ansi

Show threadBrian CampbellSep 8, 2025

@GossiTheDog Do you have a list of the compromised versions?

A few of these, when I check I see that the version published this morning is still present and the latest version. But a quick glance at the code and I don't see the compromise; I'm just doing a quick scan, but some of these packages are so simple that there's really not many places you could hide it:

https://www.npmjs.com/package/has-ansi?activeTab=code

I'm just trying to compile a list of compromised versions so I can do a quick scan of our systems, but for some of these I haven't been able to find an exploited version.

Maybe the attackers script failed to insert the exploit, as we do see a number of these packages all updated at the same time, but I don't see the exploit code in them. Packages fitting that pattern:

* color
* supports-color
* strip-ansi
* ansi-regex
* has-ansi

(note: all of this is based on a quick glance using the code tab on the NPM registry; it's possible that I could have missed the right file, or missed it when scanning visually, or the code tab might not be showing the version it claims, or the like)

has-ansi

Check if a string has ANSI escape codes. Latest version: 6.0.2, last published: 3 hours ago. Start using has-ansi in your project by running `npm i has-ansi`. There are 422 other projects in the npm registry using has-ansi.

npm
Show threadBrian Campbell

@GossiTheDog Here's my best attempt at a list of the bad versions:

- supports-hyperlinks 4.1.1
- chalk-template 1.1.1
- simple-swizzle 0.2.3
- slice-ansi 7.1.1
- error-ex 1.3.3
- is-arrayish 0.3.3
- wrap-ansi 9.0.1
- backslash 0.2.1
- color-string 2.1.1
- color-convert 3.1.1
- color 5.0.1
- color-name 2.0.1
- ansi-styles 6.2.2
- debug 4.4.2
- chalk 5.6.1
- supports-color 10.2.1
- strip-ansi 7.1.1
- ansi-regex 6.2.1
- has-ansi 6.0.1

Edit: updated with confirmed versions from author who was pwned: https://news.ycombinator.com/item?id=45169794

Hi, yep I got pwned. Sorry everyone, very embarrassing. More info: - https://git... | Hacker News

Sep 8, 2025 at 5:52pmWeb
Show threadBrian CampbellSep 8, 2025

@GossiTheDog Also, holy hell the left-pad nature of some of these deps. Here's the entire source of has-ansi:

import ansiRegex from 'ansi-regex';

const regex = ansiRegex({onlyFirst: true});

export default function hasAnsi(string) {
return regex.test(string);
}

Show threadBrian CampbellSep 8, 2025
@GossiTheDog Looks like there's a full list on the orange site: https://news.ycombinator.com/item?id=45169657
NPM debug and chalk packages compromised | Hacker News