- Over a dozen popular npm packages were compromised in a phishing-based supply chain attack
- The malware targeted crypto users by hijacking wallet addresses during transactions
- Some called it the most widespread npm compromise to date, affecting 2 billion weekly downloads
More than a dozen npm packages with two billion downloads a week were compromised in a supply chain attack that targeted cryptocurrency users.
Researchers at Aikido Security spotted a maintainer account Qix (real name Josh Junon) publishing malicious updates. In less than an hour, multiple versions were uploaded, and soon after Junon himself confirmed the attack and apologized for the mess,
“Yep, I’ve been pwned. 2FA reset email, looked very legitimate,” Junon wrote on Bluesky, confirming that the breach started with a convincing phishing email.
Targeting crypto users
“Only NPM affected, I’ve sent an email off to @npmjs.bsky.social to see if I can get access again. Sorry everyone, I should have paid more attention. Not like me; have had a stressful week. Will work to get this cleaned up,” he stressed, showing how even the most careful people can get hit if they lower their guard.
According to The Hacker News, this is the list of 20 compromised packages, cumulatively counting 2 billion weekly downloads:
- ansi-regex@6.2.1
- ansi-styles@6.2.2
- backslash@0.2.1
- chalk@5.6.1
- chalk-template@1.1.1
- color-convert@3.1.1
- color-name@2.0.1
- color-string@2.1.1
- debug@4.4.2
- error-ex@1.3.3
- has-ansi@6.0.1
- is-arrayish@0.3.3
- proto-tinker-wc@1.8.7
- supports-hyperlinks@4.1.1
- simple-swizzle@0.2.3
- slice-ansi@7.1.1
- strip-ansi@7.1.1
- supports-color@10.2.1
- supports-hyperlinks@4.1.1
- wrap-ansi@9.0.1
At the same time, CyberInsider described it as “the most widespread supply chain compromise in the history of the npm ecosystem.”
The malware being distributed through the packages apparently targeted cryptocurrency users. It is designed to intercept crypto transactions by swapping out the destination wallet address with one controlled by the attackers. Ethereum, Solana, Bitcoin, Tron, Litecoin, and Bitcoin Cash seem to be the chains targeted in this campaign.
Via The Hacker News
You might also like
- NPM packages from Nx targeted in latest worrying software supply chain attack
- Take a look at our guide to the best authenticator app
- We've rounded up the best password managers
