Particle.news
Download on the App Store
35 ARTICLES
·
3d ago

NPM Phishing Breach Pushes Malicious Updates to Widely Used JavaScript Packages, Yet Financial Hit Is Tiny

Rapid detection of build failures led researchers and maintainers to pull compromised versions within hours, cutting short a browser-side crypto-clipper that aimed to swap wallet addresses.

Image
Image
shutterstock_2210295717
Ledger cto warns of npm supply chain attack hitting 1b+ downloads

Overview

  • Maintainer Josh Junon (Qix) confirmed his npm account was taken over via a fake support email from the npmjs.help domain that captured credentials and 2FA codes, with exfiltration observed to websocket-api2.publicvm.com.
  • Attackers published rogue releases of at least 18 high‑download packages, including chalk, debug, ansi-styles, strip-ansi and others, inserting code that hooked fetch, XMLHttpRequest and wallet APIs to intercept and rewrite crypto transactions across multiple chains.
  • Aikido Security detected the incident around 13:15 UTC on September 8 after anomalous errors, and npm and project maintainers removed or rolled back the tainted versions shortly thereafter; some advisories list up to 20 affected packages.
  • Blockchain analysts report only about $497–$505 reached attacker wallets, with researchers attributing the limited haul to early CI/CD crashes and swift community response.
  • Security teams urge auditing and pinning dependencies, rotating tokens and secrets, disabling lifecycle scripts for emergency installs, and avoiding on‑chain transactions unless using hardware wallets with on‑device verification.