18 Popular npm Packages Hacked: 2 Billion Weekly Users at Risk

18+ npm packages were compromised in a major supply-chain attack. Malicious code targeting crypto transactions has put devs and users at risk

0xaudron avatar
0xaudron
4 min read
18 Popular npm Packages Hacked: 2 Billion Weekly Users at Risk featured image

Incident

On September 8, 2025, the npm ecosystem experienced a major coordinated supply-chain attack. A total of 18 widely-used JavaScript packages were compromised with malicious code designed to intercept cryptocurrency transactions in browsers. These packages collectively see over 2 billion weekly downloads, making this incident one of the most impactful attacks in open-source history.

Affected packages include:

  • ansi-styles@6.2.2
  • debug@4.4.2
  • chalk@5.6.1
  • supports-color@10.2.1
  • strip-ansi@7.1.1
  • ansi-regex@6.2.1
  • wrap-ansi@9.0.1
  • color-convert@3.1.1
  • color-name@2.0.1
  • is-arrayish@0.3.3
  • slice-ansi@7.1.1
  • color@5.0.1
  • color-string@2.1.1
  • simple-swizzle@0.2.3
  • supports-hyperlinks@4.1.1
  • has-ansi@6.0.1
  • chalk-template@1.1.1
  • backslash@0.2.1
  • error-ex@1.3.3

These packages are integral to countless development projects and are often included as dependencies in other libraries, magnifying the potential impact.

How the Compromise Happened

The attackers leveraged sophisticated social engineering:

  • Phishing Campaign: A maintainer received a phishing email from a fake domain npmjs.help that mimicked the official npm registry. The email prompted them to update 2FA credentials on a fraudulent login page.

  • Account Takeover: Once the credentials were captured, attackers gained control of the maintainer’s account and pushed malicious updates to 18 packages.

  • Malicious Payload: The injected code acted as a Web3 drainer, silently monitoring for cryptocurrency wallets and intercepting blockchain transactions. Techniques included:

  • Hijacking fetch and XMLHttpRequest browser APIs

  • Monitoring window.ethereum and wallet APIs like MetaMask and Phantom

  • Manipulating transaction details by including recipient addresses and QR codes

The payload was highly sophisticated, capable of address-swapping for Ethereum, Bitcoin, Solana, Tron, Litecoin, Bitcoin Cash, and even on-chain smart contract functions such as ERC-20 token transfers and approvals. Attackers used string similarity algorithms (e.g., Levenshtein distance) to replace user addresses with attacker addresses that looked almost identical, making detection extremely difficult.

How Developers Were at Risk

There were several ways the attack could propagate:

  • Fresh installs: Developers installing any of the compromised packages would pull malicious code into their environment.

  • Container rebuilds: Without version locking in package.json or lock files, rebuilds could automatically fetch compromised versions.

  • Automated updates: Running npm update could inadvertently upgrade to a malicious version.

  • Mitigation was possible if developers immediately locked to patched versions or rebuilt artifacts from clean sources.

Technical Analysis

The attack illustrates a perfectly executed client-side compromise:

  • Phishing sophistication: The fake domain and messaging were nearly identical to npm’s official communication.

  • Malware stealth: The Web3 drainer operated silently, leaving minimal logs and targeting only crypto-related activity.

  • Payload replication: All 18 compromised packages contained identical malicious logic, showing advanced orchestration.

This attack demonstrates why traditional reactive security—patching after vulnerabilities are found—is insufficient. Open-source ecosystems demand proactive monitoring and contextual awareness of dependencies.

Industry Response

Upon discovery, several measures were immediately taken:

  • Package removal: Malicious versions were removed from the npm registry.

  • Alerts issued: Security teams and developers were notified to audit and update dependencies.

  • Continuous monitoring: Security platforms, including OX Security, flagged affected packages and identified critical dependency-chain hijacks.

  • Example mitigation using OX Security platform:

  • Detected error-ex@1.3.3 as Critical severity

  • Identified its behavior targeting browser and wallet APIs

Provided actionable remediation steps: downgrade to prior version and audit environment

Lessons Learned

Social engineering remains a top attack vector: Phishing can compromise even highly technical maintainers.

Dependency hygiene is critical: Open-source dependencies, if not monitored, can introduce cascading vulnerabilities.

Proactive security models are essential: SBOMs, runtime monitoring, and AI-driven threat intelligence allow for preemptive detection of attacks rather than reactive patching.

  • Audit all npm dependencies and update to clean versions immediately.
  • Implement version locking with package-lock.json or npm shrinkwrap.
  • Review deployed containers and artifacts for injected malicious code.
  • Rotate secrets and revoke token approvals from wallets potentially affected.
  • Stay updated on security advisories and integrate automated dependency monitoring.

Key Takeaway

The npm ecosystem is massive and interconnected, and even a single compromised maintainer can ripple across billions of weekly downloads. This incident is a wake-up call: open-source security is no longer optional, and developers must adopt layered, context-aware defenses to safeguard applications and assets.

Stay safe, stay vigilant! For any help, audits, feel free to reach out to us or request quote