Kevin BeaumontSep 8, 2025

Malicious javascript compromise on npmjs.com

These packages, about a billion downloads prior

supports-hyperlinks
chalk-template
simple-swizzle
slice-ansi
error-ex
is-arrayish
wrap-ansi
backslash
color-string
color-convert
color
color-name

Thread follows.

Show threadKevin BeaumontSep 8, 2025
Example change and download stats on one of the 12 packages changed, incident started about 2 hours ago.
Show threadKevin BeaumontSep 8, 2025
Example copy of one of the inserted JS: https://pastebin.com/bwLZrq02
Malicious JS in NPM libraries - Pastebin.com

Pastebin.com is the number one paste tool since 2002. Pastebin is a website where you can store text online for a set period of time.

Pastebin
Show threadKevin BeaumontSep 8, 2025
Just reported to NPM, they work on it.
Show threadKevin BeaumontSep 8, 2025
Derek's caught it too https://infosec.exchange/@derekheld/115169311485030806
derekheld (@[email protected])

A bunch of packages published by qix in NPM just got backdoored it looks like. Obfuscated code was added like two hours ago. #threatintel #npm

Infosec Exchange
Show threadKevin BeaumontSep 8, 2025
It's a cryptocurrency wallet drainer, RIP a load of devops dudes crypto.
Show threadKevin BeaumontSep 8, 2025
NPM on it, some packages nuked, more being nuked
Show threadKevin BeaumontSep 8, 2025

If you want an idea of scale of trojan attempt - 'color' alone had 32m downloads in a week, the combined attempt was pushing a billion due to upstream dependencies.

Hunt tip: look for registry.npmjs.org in proxy logs, package names are in the URLs.

Show threadKevin BeaumontSep 8, 2025

additional backdoored packages

ansi-styles
debug
chalk
supports-color
strip-ansi
ansi-regex
has-ansi

Show threadKevin BeaumontSep 8, 2025

Weekly download stats for impacted packages prior to incident

ansi-styles (371.41m)
debug (357.6m)
backslash (0.26m)
chalk-template (3.9m)
supports-hyperlinks (19.2m)
has-ansi (12.1m)
simple-swizzle (26.26m)
color-string (27.48m)
error-ex (47.17m)
color-name (191.71m)
is-arrayish (73.8m)
slice-ansi (59.8m)
color-convert (193.5m)
wrap-ansi (197.99m)
ansi-regex (243.64m)
supports-color (287.1m)
strip-ansi (261.17m)
chalk (299.99m)

Total 2674m

Show threadKevin BeaumontSep 8, 2025
Phishing email sent to maintainers, they basically targeted people with 2FA by getting them to.. reset their 2FA.
Show threadEdwin Martin
This npmjs phishing email led to npmjs.help. This site was a one-on-one copy of npmjs.com, even the search was functional. Fortunately, the site is offline now.
Sep 8, 2025 at 9:15pmWeb