Kevin BeaumontSep 8, 2025

Malicious javascript compromise on npmjs.com

These packages, about a billion downloads prior

supports-hyperlinks
chalk-template
simple-swizzle
slice-ansi
error-ex
is-arrayish
wrap-ansi
backslash
color-string
color-convert
color
color-name

Thread follows.

Show threadKevin BeaumontSep 8, 2025
Example change and download stats on one of the 12 packages changed, incident started about 2 hours ago.
Show threadKevin BeaumontSep 8, 2025
Example copy of one of the inserted JS: https://pastebin.com/bwLZrq02
Malicious JS in NPM libraries - Pastebin.com

Pastebin.com is the number one paste tool since 2002. Pastebin is a website where you can store text online for a set period of time.

Pastebin
Show threadKevin BeaumontSep 8, 2025
Just reported to NPM, they work on it.
Show threadKevin BeaumontSep 8, 2025
Derek's caught it too https://infosec.exchange/@derekheld/115169311485030806
derekheld (@[email protected])

A bunch of packages published by qix in NPM just got backdoored it looks like. Obfuscated code was added like two hours ago. #threatintel #npm

Infosec Exchange
Show threadKevin BeaumontSep 8, 2025
It's a cryptocurrency wallet drainer, RIP a load of devops dudes crypto.
Show threadKevin BeaumontSep 8, 2025
NPM on it, some packages nuked, more being nuked
Show threadKevin BeaumontSep 8, 2025

If you want an idea of scale of trojan attempt - 'color' alone had 32m downloads in a week, the combined attempt was pushing a billion due to upstream dependencies.

Hunt tip: look for registry.npmjs.org in proxy logs, package names are in the URLs.

Show threadKevin BeaumontSep 8, 2025

additional backdoored packages

ansi-styles
debug
chalk
supports-color
strip-ansi
ansi-regex
has-ansi

Show threadKevin BeaumontSep 8, 2025

Weekly download stats for impacted packages prior to incident

ansi-styles (371.41m)
debug (357.6m)
backslash (0.26m)
chalk-template (3.9m)
supports-hyperlinks (19.2m)
has-ansi (12.1m)
simple-swizzle (26.26m)
color-string (27.48m)
error-ex (47.17m)
color-name (191.71m)
is-arrayish (73.8m)
slice-ansi (59.8m)
color-convert (193.5m)
wrap-ansi (197.99m)
ansi-regex (243.64m)
supports-color (287.1m)
strip-ansi (261.17m)
chalk (299.99m)

Total 2674m

Show threadKevin BeaumontSep 8, 2025
Phishing email sent to maintainers, they basically targeted people with 2FA by getting them to.. reset their 2FA.
Show threadDianeSep 8, 2025

@GossiTheDog

That's a clever phish.

It looks similar to requests that companies already make.

I wonder how suspicious that link looked.

Show threadShadSterlingSep 8, 2025
@alienghic @GossiTheDog I’ve never seen a legitimate 2FA expiration, only password expirations - tho even there I usually don’t get an email, usually I log in and get sent to a change password page and find that my account is disabled until after I update my password. If I got a 2FA expired email my initial assumption would be that it’s an attack
Show threadFazal MajidSep 9, 2025
@ShadSterling @alienghic @GossiTheDog how would you even rotate a Yubikey, short of buying a new one?
Show threadDiane

@fazalmajid @ShadSterling @GossiTheDog

That's how you'd have to do it.

I do think Yubikey has a point that one should have a backup yubikey locked up somewhere in case you lose your primary key.

Sep 9, 2025 at 3:29pmWeb
Show threadFazal MajidSep 9, 2025
@alienghic @ShadSterling @GossiTheDog I have 6, two of which are not Yubikeys but another brand of FIDO2 hardware keys. The most important thing is you need to keep track of which keys you registered with which site, as the keys themselves can't do this due to storage space limitations, unlike passkeys.