Overview
- Developer Josh Junon, known as qix, confirmed his npm account was compromised after a convincing 2FA renewal phishing email from the domain npmjs.help.
- Attackers published manipulated updates to roughly two dozen widely used packages, including chalk, debug and strip-ansi, which collectively see more than two billion downloads per week.
- Analysts at Aikido Security and Socket.dev report the malware hooks browser network and API flows and alters wallet-extension routines to swap cryptocurrency recipient addresses.
- The code targets transactions in Bitcoin, Bitcoin Cash, Ethereum, Litecoin, Solana and Tron, using obfuscation techniques such as invisible characters and mixed text directions to hinder detection.
- Known tainted releases have been removed from npm, yet investigators warn older versions or other accounts may be affected, and teams are urged to audit dependencies and pin safe versions.