Pierluigi Paganini
September 09, 2025
A supply chain attack compromised multiple popular npm packages with 2B weekly downloads after a maintainer fell for a phishing email mimicking npm, targeting 2FA credentials.
Threat actors targeted Josh Junon’s (Qix) to steal his npm credentials and 2FA token via an AitM attack. Once the credentials were obtained, the attackers published a malware-laced version of the packages.
Attackers sent to Junon a phishing message that mimicked npm (“support@npmjs[.]help”), urging them to update their two-factor authentication (2FA) credentials before September 10, 2025, by clicking on a link embedded in the message.
“As part of our ongoing commitment to account security, we are requesting that all users update their Two-Factor Authentication (2FA) credentials. Our records indicate that it has been over 12 months since your last 2FA update,” the phishing email reads.
“To maintain the security and integrity of your account, we kindly ask that you complete this update at your earliest convenience. Please note that accounts with outdated 2FA credentials will be temporarily locked starting September 10, 2025, to prevent unauthorized access.”
The recipient was redirected to a phishing page designed to prompt them to enter their username, password, and two-factor authentication (2FA) token.
The attack impacted the following 20 packages that have over 2 billion weekly downloads:
Junon confirmed the incident and apologized for its impact.
“Yep, I’ve been pwned. 2FA reset email, looked very legitimate. Only NPM affected. I’ve sent an email off to @npmjs.bsky.social to see if I can get access again. Sorry everyone, I should have paid more attention. Not like me; have had a stressful week. Will work to get this cleaned up.” wrote Junon.
“Sorry everyone, I should have paid more attention,” Junon said in a post on Bluesky. “Not like me; have had a stressful week. Will work to get this cleaned up.”
The compromised packages included a malicious code developed to hijack cryptocurrency transactions
Aikido Security researchers discovered that attackers hijacked popular npm packages by injecting malicious code into index.js. The malware intercepts web traffic and crypto wallet APIs (Ethereum, Bitcoin, Solana, Tron, Litecoin, Bitcoin Cash), replacing destination addresses with attacker-controlled ones to hijack funds.
“This malware is essentially a browser-based interceptor that hijacks both network traffic and application APIs. It injects itself into functions like fetch, XMLHttpRequest, and common wallet interfaces, then silently rewrites values in requests and responses.” reads the analysis published by Aikido Security. “That means any sensitive identifiers, such as payment destinations or approval targets, can be swapped out for attacker, controlled ones before the user even sees or signs them. To make the changes harder to notice, it uses string-matching logic that replaces targets with look-alike values.”
It hooks JS functions (fetch, XMLHttpRequest, wallet APIs) to manipulate transactions at multiple layers: web content, API calls, and signing processes. The incident affected popular packages like chalk, debug, and ansi-styles. Though severe, experts note that only apps meeting specific criteria are impacted.
According to Akido Security experts, at 16:58 UTC, the same attackers compromised another package, [email protected], injecting malicious code into dist/cjs/proto-tinker.cjs.entry.js.
The cybersecurity firm shared indicators of compromise for this campaign and recommends users to verify package versions, clear npm cache, reinstall all dependencies, and use lock files with pinned versions to prevent malicious updates.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, malicious npm packages)
Data Breach / September 29, 2025
