Overview

• Researchers say 18–20 popular packages, including chalk, debug and ansi-styles, were briefly poisoned, with combined weekly downloads reported above 1–2 billion.
• Injected code operated in browsers by hooking fetch, XMLHttpRequest and wallet APIs to swap recipient addresses across Ethereum, Bitcoin, Solana, Tron, Litecoin and Bitcoin Cash.
• npm removed the compromised versions within hours and the maintainer’s account was restored, with indicators of compromise published for downstream checks.
• Estimated theft was minimal, with reports ranging from tens of dollars to roughly a thousand dollars, a result attributed to quick detection and buggy attacker code.
• Security guidance urges pinning or reverting to safe versions, auditing CI/CD and lockfiles, disabling lifecycle scripts during emergency installs, and verifying transactions on hardware wallets; no public attribution has been made.