Kevin BeaumontSep 8, 2025

Malicious javascript compromise on npmjs.com

These packages, about a billion downloads prior

supports-hyperlinks
chalk-template
simple-swizzle
slice-ansi
error-ex
is-arrayish
wrap-ansi
backslash
color-string
color-convert
color
color-name

Thread follows.

Show threadKevin BeaumontSep 8, 2025
Example change and download stats on one of the 12 packages changed, incident started about 2 hours ago.
Show threadKevin BeaumontSep 8, 2025
Example copy of one of the inserted JS: https://pastebin.com/bwLZrq02
Malicious JS in NPM libraries - Pastebin.com

Pastebin.com is the number one paste tool since 2002. Pastebin is a website where you can store text online for a set period of time.

Pastebin
Show threadKevin BeaumontSep 8, 2025
Just reported to NPM, they work on it.
Show threadKevin BeaumontSep 8, 2025
Derek's caught it too https://infosec.exchange/@derekheld/115169311485030806
derekheld (@[email protected])

A bunch of packages published by qix in NPM just got backdoored it looks like. Obfuscated code was added like two hours ago. #threatintel #npm

Infosec Exchange
Show threadKevin BeaumontSep 8, 2025
It's a cryptocurrency wallet drainer, RIP a load of devops dudes crypto.
Show threadKevin BeaumontSep 8, 2025
NPM on it, some packages nuked, more being nuked
Show threadKevin BeaumontSep 8, 2025

If you want an idea of scale of trojan attempt - 'color' alone had 32m downloads in a week, the combined attempt was pushing a billion due to upstream dependencies.

Hunt tip: look for registry.npmjs.org in proxy logs, package names are in the URLs.

Show threadKevin BeaumontSep 8, 2025

additional backdoored packages

ansi-styles
debug
chalk
supports-color
strip-ansi
ansi-regex
has-ansi

Show threadKevin BeaumontSep 8, 2025

Weekly download stats for impacted packages prior to incident

ansi-styles (371.41m)
debug (357.6m)
backslash (0.26m)
chalk-template (3.9m)
supports-hyperlinks (19.2m)
has-ansi (12.1m)
simple-swizzle (26.26m)
color-string (27.48m)
error-ex (47.17m)
color-name (191.71m)
is-arrayish (73.8m)
slice-ansi (59.8m)
color-convert (193.5m)
wrap-ansi (197.99m)
ansi-regex (243.64m)
supports-color (287.1m)
strip-ansi (261.17m)
chalk (299.99m)

Total 2674m

Show threadKevin BeaumontSep 8, 2025
Phishing email sent to maintainers, they basically targeted people with 2FA by getting them to.. reset their 2FA.
Show threadLeo@ALLESSep 8, 2025
@GossiTheDog It's incredible that high profile targets like npm or GitHub STILL aren't enforcing Security Keys...
Show threadCassandrichSep 8, 2025

@leoluk @GossiTheDog Draconian systems that limit who can write and publish code are NOT the solution here.

The solution is not having LPMs (language package managers) that pull code from unvetted package repositories in an automated manner, and languages that encourage using thousands of random garbage microdependencies rather than well-vetted, versioned libraries.

Show threadSteve LoughranSep 8, 2025
@dalias @leoluk @GossiTheDog at the very least, lets check GPG signatures rather than just SHA checksums
Show threadHaelwenn /элвэн/ 
@stevel @dalias @leoluk @GossiTheDog Given they got 2FA phished, OpenPGP would solve exactly nothing, you'd get a new key with the name of the dev on it and people would just accept it at face value, remember NPM has 0 vetting.

And if you'd want to actually verify it's the correct key… good luck, almost no one makes sure to put copies of their OpenPGP keys in multiple places.
Sep 8, 2025 at 10:13pmWeb
Show threadCassandrichSep 8, 2025
@lanodan @leoluk @GossiTheDog @stevel This. The only real solution is not putting authors in a place of directly being able to push code for immediate automatic consumption. This would have been a non issue if new versions not tagged for immediate review as security fixes and reviewed as such had a 5-10 day waiting period before they'd be pulled. I'm not saying delay is the only or necessarily best way, but you've gotta stop making these gratuitous and dangerous update channels.
Show threadCassandrichSep 8, 2025
@lanodan @leoluk @GossiTheDog @stevel Also let's not forget that no 2FA or signing key security theater would prevent the version of this attack where a maintainer transfers ownership to a malicious party (selling out), decides to go rogue, or whatever.
Show threadHaelwenn /элвэн/ Sep 8, 2025
@dalias @leoluk @GossiTheDog @stevel Yeah, at best is could make it noisier, like with the developer receiving at least one email about account updates, which given the phish they could see as normal given those notifications typically don't tell you what was changed.

In fact it also reminds me that I don't think I've ever seen a website actually verify that the emails listed in the OpenPGP key can actually use said key (I would know, one of the entries in mine isn't email but my fediverse ID).
Something which has been the normal workflow for SSL/TLS certificates for decades.
Show threadSteve LoughranSep 9, 2025

@dalias @lanodan @leoluk @GossiTheDog I'd add "not need to download everything on every use", the way JS and docker runtimes like. We've grown complacent from high bandwidth downloads and the honesty of the majority of developers.

So looking forward to the first crypto-drainer attack which acquires the US treasury crypto assets and that post mortem which will follow.