More than a dozen popular npm packages—responsible for a combined two billion weekly downloads—have been compromised in what’s now being called one of the most widespread supply chain attacks in npm history. Security researchers at Aikido Security found that a maintainer’s account, Qix (Josh Junon), was targeted with a phishing email, leading to 2FA reset and malicious versions being published in under an hour. Junon confirmed the incident, admitted the breach, and is now working to restore the impacted packages.
Among the compromised packages are some widely-used names like chalk, ansi-regex, debug, color-convert, and more. The campaign’s payload went after cryptocurrency users, hijacking wallet addresses during transactions and redirecting funds to attackers-controlled wallets. This malware reportedly targeted major chains including Ethereum, Solana, Bitcoin, Tron, Litecoin, and Bitcoin Cash.
Here’s the list of compromised npm packages cited by security sources:
This event shows that even highly trusted open source maintainers can fall victim to social engineering attacks, making regular vigilance and strong security practices essential for package developers and users handling cryptocurrency via npm dependencies.
