Multiple npm packages have been compromised as part of a software supply chain attack after a maintainer’s account was compromised in a phishing attack.
The attack targeted Josh Junon (aka Qix), who received an email message that mimicked npm (“support@npmjs[.]help”), urging them to update their update their two-factor authentication (2FA) credentials before September 10, 2025, by clicking on embedded link.
The phishing page is said to have prompted the co-maintainer to enter their username, password, and two-factor authentication (2FA) token, only for it to be stolen likely by means of an adversary-in-the-middle (AitM) attack and used to publish the rogue version to the npm registry.
The following 20 packages, which collectively attract over 2 billion weekly downloads, have been confirmed as affected as part of the incident –
- [email protected]
- [email protected]
- [email protected]
- [email protected]
- [email protected]
- [email protected]
- [email protected]
- [email protected]
- [email protected]
- [email protected]
- [email protected]
- [email protected]
- [email protected]
- [email protected]
- [email protected]
- [email protected]
- [email protected]
- [email protected]
- [email protected]
- [email protected]
“Sorry everyone, I should have paid more attention,” Junon said in a post on Bluesky. “Not like me; have had a stressful week. Will work to get this cleaned up.”
An analysis of the obfuscated malware injected into the source code reveals that it’s designed to intercept cryptocurrency transaction requests and swap the destination wallet address with an attacker-controlled wallet that closely matches it by computing the Levenshtein distance.
According to Aikido Security’s Charlie Eriksen, the payload acts as a browser-based interceptor that hijacks network traffic and application APIs to steal cryptocurrency assets by rewriting requests and responses. It’s currently not known who is behind the attack.
“The payload begins by checking typeof window !== ‘undefined’ to confirm it is running in a browser,” Socket said. “It then hooks into window.fetch, XMLHttpRequest, and window.ethereum.request, along with other wallet provider APIs.”
“This means the malware targets end users with connected wallets who visit a site that includes the compromised code. Developers are not inherently the target, but if they open an affected site in a browser and connect a wallet, they too become victims.”
Package ecosystems like npm and the Python Package Index (PyPI) remain recurring targets due to their popularity and broad reach within the developer community, with attackers abusing the trust associated with these platforms to push malicious payloads.
Beyond publishing malicious packages directly, attackers have also employed techniques such as typosquatting or even exploiting AI-hallucinated dependencies – called slopsquatting – to trick developers into installing malware….
Source link
Disclaimer
We strive to uphold the highest ethical standards in all of our reporting and coverage. We blogs.grocliq.com want to be transparent with our readers about any potential conflicts of interest that may arise in our work. It’s possible that some of the investors we feature may have connections to other businesses, including competitors or companies we write about. However, we want to assure our readers that this will not have any impact on the integrity or impartiality of our reporting. We are committed to delivering accurate, unbiased news and information to our audience, and we will continue to uphold our ethics and principles in all of our work. Thank you for your trust and support.
Website Upgradation is going on for any glitch kindly connect at [email protected]
