Kevin BeaumontSep 8, 2025

Malicious javascript compromise on npmjs.com

These packages, about a billion downloads prior

supports-hyperlinks
chalk-template
simple-swizzle
slice-ansi
error-ex
is-arrayish
wrap-ansi
backslash
color-string
color-convert
color
color-name

Thread follows.

Show threadKevin BeaumontSep 8, 2025
Example change and download stats on one of the 12 packages changed, incident started about 2 hours ago.
Show threadKevin BeaumontSep 8, 2025
Example copy of one of the inserted JS: https://pastebin.com/bwLZrq02
Malicious JS in NPM libraries - Pastebin.com

Pastebin.com is the number one paste tool since 2002. Pastebin is a website where you can store text online for a set period of time.

Pastebin
Show threadKevin BeaumontSep 8, 2025
Just reported to NPM, they work on it.
Show threadKevin BeaumontSep 8, 2025
Derek's caught it too https://infosec.exchange/@derekheld/115169311485030806
derekheld (@[email protected])

A bunch of packages published by qix in NPM just got backdoored it looks like. Obfuscated code was added like two hours ago. #threatintel #npm

Infosec Exchange
Show threadKevin BeaumontSep 8, 2025
It's a cryptocurrency wallet drainer, RIP a load of devops dudes crypto.
Show threadKevin BeaumontSep 8, 2025
NPM on it, some packages nuked, more being nuked
Show threadKevin BeaumontSep 8, 2025

If you want an idea of scale of trojan attempt - 'color' alone had 32m downloads in a week, the combined attempt was pushing a billion due to upstream dependencies.

Hunt tip: look for registry.npmjs.org in proxy logs, package names are in the URLs.

Show threadKevin BeaumontSep 8, 2025

additional backdoored packages

ansi-styles
debug
chalk
supports-color
strip-ansi
ansi-regex
has-ansi

Show threadKevin BeaumontSep 8, 2025

Weekly download stats for impacted packages prior to incident

ansi-styles (371.41m)
debug (357.6m)
backslash (0.26m)
chalk-template (3.9m)
supports-hyperlinks (19.2m)
has-ansi (12.1m)
simple-swizzle (26.26m)
color-string (27.48m)
error-ex (47.17m)
color-name (191.71m)
is-arrayish (73.8m)
slice-ansi (59.8m)
color-convert (193.5m)
wrap-ansi (197.99m)
ansi-regex (243.64m)
supports-color (287.1m)
strip-ansi (261.17m)
chalk (299.99m)

Total 2674m

Show threadKevin BeaumontSep 8, 2025
Phishing email sent to maintainers, they basically targeted people with 2FA by getting them to.. reset their 2FA.
Show threadLeo@ALLESSep 8, 2025
@GossiTheDog It's incredible that high profile targets like npm or GitHub STILL aren't enforcing Security Keys...
Show threadCassandrichSep 8, 2025

@leoluk @GossiTheDog Draconian systems that limit who can write and publish code are NOT the solution here.

The solution is not having LPMs (language package managers) that pull code from unvetted package repositories in an automated manner, and languages that encourage using thousands of random garbage microdependencies rather than well-vetted, versioned libraries.

Show threadJoby  (he/him)Sep 8, 2025
@dalias @leoluk @GossiTheDog The thousands of micro dependencies thing. For real. That is the main reason I don’t touch node with a ten foot pole. Just write a dang standard library that does … like even a couple things?
Show threadCassandrich

@joby @leoluk @GossiTheDog Or even just copy&paste the 9 lines of code you needed!

It's about the same amount of code as the interface surface declaring the dependency you needed and binding to it - but without introducing any new interface surface or trust surface!

External dependencies that are not c&p into your own code make sense for something large and complex that's likely subject to bugs/fixes, changing requirements of third-party things they interface with, etc. Not for trivial stuff that's a couple lines of js.

Sep 8, 2025 at 10:26pmWeb
Show threaddatenwolfSep 10, 2025

@dalias @joby @leoluk @GossiTheDog

Indeed. I've been openly criticizing language built-in package managers for over a decade now. Having them encourages sloppy coding and short circuits developers' brains not to apply due diligence.

NPM, Pip, Cargo… IMHO those are inherently problematic. My personal motto in software development is: Find the dependencies and eliminate them!