Recently, a significant supply chain attack targeting the NPM ecosystem—a package manager for JavaScript—affected approximately 10% of all cloud environments. Surprisingly, the attackers gained little from their malicious endeavor, according to two detailed reports analyzing the breach. This incident primarily involved well-known NPM packages such as ansi-styles, debug, and chalk, which together accumulate more than 2 billion downloads weekly. Josh Junon, a project maintainer known by his online alias “qix,” admitted on GitHub that he was deceived by a convincingly authentic-looking email related to a two-factor authentication (2FA) reset. Additionally, DuckDB-related packages were compromised in a separate, yet related, attack.
Organizations relying on these popular packages experienced a stroke of luck; the attackers appeared primarily focused on cryptojacking rather than executing more severe exploits. As noted by cybersecurity expert Kevin Beaumont, the situation could have been much graver. “Imagine if they had done reverse shells instead, or automated lateral movement to ransomware deployment NotPetya style,” Beaumont stated. “The thing that saved companies here was that the threat actor was merely an incompetent crypto boy.”
NPM Attack Highlights Rapid Spread of Malicious Code
The Open Security Alliance reported that the attacks involving qix’s packages yielded a mere $20, while the incident with DuckDB packages resulted in about $600. Notably, both attacks utilized the same wallet-drainer payload. According to analysis from Socket, these low figures suggest that while the campaign was disruptive, the financial impact appears to be minimal. “The largest cost of this incident will likely be the thousands of hours expended by engineering and security teams globally to remediate compromised environments,” Socket emphasized.
Wiz further revealed that at least one of the affected packages exists in 99% of cloud environments, and the malicious code swiftly infiltrated roughly 10% of them. “From this, we can infer that during the brief two-hour window in which the harmful versions were available, the malicious code effectively reached 1 in 10 cloud environments,” said Wiz. This incident underscores the alarming speed at which malicious code can spread during supply chain attacks.
Understanding the Mechanics of the NPM Supply Chain Attack
According to Junon, the phishing email that initiated the attack came from a suspicious address, support at npmjs[.]help, which was designed to mimic the legitimate npmjs.com website. Other maintainers reported receiving similar emails, which alarmingly threatened to lock accounts unless the recipients updated their 2FA settings. The phishing message stated:
“As part of our ongoing commitment to account security, we are requesting that all users update their Two-Factor Authentication (2FA) credentials. Our records indicate that it has been over 12 months since your last 2FA update. To maintain the security and integrity of your account, we kindly ask that you complete this update at your earliest convenience. Please note that accounts with outdated 2FA credentials will be temporarily locked starting September 10, 2025, to prevent unauthorized access.”
Once the packages were compromised, they were updated to include malicious code capable of executing on users’ browsers. This code would silently intercept cryptocurrency and web3 activities, manipulate wallet interactions, and alter payment destinations. As a result, funds and transaction approvals would be redirected to accounts controlled by the attackers, all without drawing attention from the affected users.
This extensive supply chain attack coincides with reports indicating a doubling of such incidents over recent months. Attackers have increasingly exploited IT vulnerabilities at a grand scale, often employing carefully crafted phishing techniques, as demonstrated in this case.
