By Sead Fadilpašić

Copyright techradar

Skip to main content

Tech Radar Pro

Tech Radar Gaming

Close main menu

the business technology experts

België (Nederlands)

Deutschland

North America

US (English)

Australasia

New Zealand

View Profile

Search TechRadar

Expert Insights

Website builders

Web hosting

Best web hosting
Best office chairs
Best website builder
Best antivirus
Expert Insights

Don’t miss these

More popular npm packages hijacked to spread malware

Npm package with millions of downloads is at risk from malware hijacking

Are they brave or stupid? Malware targeting Russian crypto hackers found

North Korean hackers release malware-ridden packages into npm registry

GitHub supply chain attack sees thousands of tokens and secrets stolen in GhostAction campaign

Major new malware strain targets crypto users via malicious ads – here’s what we know, and how to stay safe

Massive leak of over 115 million US payment cards caused by Chinese “smishing” hackers – find out if you’re affected

Endgame Gear warns mouse config tool has been infected with malware

Watch out – those Firefox add-ons could be a real threat to your entire system, Mozilla warns

Stop using these 22 Android crypto and wallet apps ASAP, or you risk losing all your cryptocurrency

GitHub users targeted with dangerous malware attacks – here’s what we know

Dangerous new Linux malware strikes – thousands of users see passwords, personal info stolen, here’s what we know

Minecraft players watch out – these fake mods are hiding password-stealing malware

WordPress users beware – this popular plugin has been hijacked to push potential malware

The biggest heist of all time involved over $14 billion of crypto being stolen – and it went undetected for five years

Compromised files replace npm packages with a combined 2 billion weekly downloads

Sead Fadilpašić

9 September 2025

The “biggest supply chain attack” in the history of npm took place recently

When you purchase through links on our site, we may earn an affiliate commission. Here’s how it works.

(Image credit: Shutterstock / Who is Danny)

Over a dozen popular npm packages were compromised in a phishing-based supply chain attack
The malware targeted crypto users by hijacking wallet addresses during transactions
Some called it the most widespread npm compromise to date, affecting 2 billion weekly downloads

More than a dozen npm packages with two billion downloads a week were compromised in a supply chain attack that targeted cryptocurrency users.

Researchers at Aikido Security spotted a maintainer account Qix (real name Josh Junon) publishing malicious updates. In less than an hour, multiple versions were uploaded, and soon after Junon himself confirmed the attack and apologized for the mess,
“Yep, I’ve been pwned. 2FA reset email, looked very legitimate,” Junon wrote on Bluesky, confirming that the breach started with a convincing phishing email.

You may like

More popular npm packages hijacked to spread malware

Npm package with millions of downloads is at risk from malware hijacking

Are they brave or stupid? Malware targeting Russian crypto hackers found

Targeting crypto users
“Only NPM affected, I’ve sent an email off to @npmjs.bsky.social to see if I can get access again. Sorry everyone, I should have paid more attention. Not like me; have had a stressful week. Will work to get this cleaned up,” he stressed, showing how even the most careful people can get hit if they lower their guard.

According to The Hacker News, this is the list of 20 compromised packages, cumulatively counting 2 billion weekly downloads:

ansi-regex@6.2.1
ansi-styles@6.2.2
backslash@0.2.1
chalk@5.6.1
chalk-template@1.1.1
color-convert@3.1.1
color-name@2.0.1
color-string@2.1.1
debug@4.4.2
error-ex@1.3.3
has-ansi@6.0.1
is-arrayish@0.3.3
proto-tinker-wc@1.8.7
supports-hyperlinks@4.1.1
simple-swizzle@0.2.3
slice-ansi@7.1.1
strip-ansi@7.1.1
supports-color@10.2.1
supports-hyperlinks@4.1.1
wrap-ansi@9.0.1
At the same time, CyberInsider described it as “the most widespread supply chain compromise in the history of the npm ecosystem.”
The malware being distributed through the packages apparently targeted cryptocurrency users. It is designed to intercept crypto transactions by swapping out the destination wallet address with one controlled by the attackers. Ethereum, Solana, Bitcoin, Tron, Litecoin, and Bitcoin Cash seem to be the chains targeted in this campaign.

Are you a pro? Subscribe to our newsletter
Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!
Contact me with news and offers from other Future brandsReceive email from us on behalf of our trusted partners or sponsorsBy submitting your information you agree to the Terms & Conditions and Privacy Policy and are aged 16 or over.
Via The Hacker News
You might also like

NPM packages from Nx targeted in latest worrying software supply chain attack
Take a look at our guide to the best authenticator app
We’ve rounded up the best password managers

Sead Fadilpašić

Social Links Navigation

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

You must confirm your public display name before commenting

Please logout and then login again, you will then be prompted to enter your display name.

More popular npm packages hijacked to spread malware

Npm package with millions of downloads is at risk from malware hijacking

Are they brave or stupid? Malware targeting Russian crypto hackers found

North Korean hackers release malware-ridden packages into npm registry

GitHub supply chain attack sees thousands of tokens and secrets stolen in GhostAction campaign

Major new malware strain targets crypto users via malicious ads – here’s what we know, and how to stay safe

Latest in Security

UK policing watchdog finds National Crime Agency heavily reliant on weak legacy systems

All Plex users should reset passwords in wake of data breach

GitHub supply chain attack sees thousands of tokens and secrets stolen in GhostAction campaign

Insider breaches are a bigger security threat than ever before – here’s how your business can stay safe

This creepy spyware watches you through your webcam and snaps incriminating photos

SAP users patch now – worrying S/4HANA vulnerability being exploited in the wild

Latest in News

BREAKING: Everything you need to know about the iPhone Air

BREAKING: Here’s what you need to know about the iPhone 17

Apple Watch Ultra 3, Series 11, SE 3, AirPods Pro 3 – All the fitness wearables launched during Apple’s mammoth September event

New Avengers: Doomsday image revealed by the Russo brothers, and Marvel fans are scrambling to work out what it means

Apple event 2025 live – get all the iPhone 17, AirPods Pro 3 and Apple Watch 11 news as it happens

Grand Theft Auto 6 leak seemingly reveals parodies of real-life websites and apps with names like RydeMe and What-Up

LATEST ARTICLES

BREAKING: Everything you need to know about the iPhone Air

5 things you need to know about Apple’s all-new AirPods Pro 3 – including the price

Apple Watch Ultra 3, Series 11, SE 3, AirPods Pro 3 – All the fitness wearables launched during Apple’s mammoth September event

BREAKING: Here’s what you need to know about the iPhone 17

AI is redefining university research: here’s how

TechRadar is part of Future US Inc, an international media group and leading digital publisher. Visit our corporate site.

Contact Future’s experts

Terms and conditions

Privacy policy

Cookies policy

Advertise with us

Web notifications

Accessibility Statement

Future US, Inc. Full 7th Floor, 130 West 42nd Street,

Please login or signup to comment

Please wait…