Overview

• A targeted phishing email from [email protected] duped maintainer Josh Junon into sharing credentials and a 2FA code, enabling attackers to publish malicious updates.
• At least 18 widely used packages — including chalk, debug, ansi-styles and strip-ansi — saw rogue versions pushed starting around 13:15 UTC on September 8 before npm and maintainers pulled them within roughly two to four hours.
• The injected payload operated as a browser-side crypto clipper that hooked window.fetch, XMLHttpRequest and wallet APIs such as window.ethereum.request to swap destination addresses using similarity heuristics like Levenshtein distance.
• Ledger’s CTO warned software wallet users to pause on-chain activity and said hardware wallet users remain protected if they confirm recipient details on-device.
• Early takedowns and community coordination appear to have limited theft to small, inconsistently reported amounts, as investigators continue assessing downstream impact and advise pinning safe versions, rebuilding lockfiles, disabling install scripts and auditing SBOMs.