Sep 09, 2025 12:50:00

18 popular npm packages with over 2.6 billion weekly downloads may have been infected with malware; npm developer accounts were hacked, sparking uproar

It has been discovered that a developer account on the Node.js package management system '

npm ' was hijacked and malware was injected into a large number of packages.

npm debug and chalk packages compromised
https://www.aikido.dev/blog/npm-debug-and-chalk-packages-compromised

Hackers hijack npm packages with 2 billion weekly downloads in supply chain attack

https://www.bleepingcomputer.com/news/security/hackers-hijack-npm-packages-with-2-billion-weekly-downloads-in-supply-chain-attack/

18 Popular Code Packages Hacked, Rigged to Steal Crypto – Krebs on Security
https://krebsonsecurity.com/2025/09/18-popular-code-packages-hacked-rigged-to-steal-crypto/

According to security firm Aikido Security, the attackers sent phishing emails to developer Josh Junon to obtain his credentials, then began injecting malicious code into several packages managed by npm and distributing them.

Malicious code could monitor cryptocurrency transactions conducted through a website, allowing bad actors to hijack the transactions.

Aikido Security has confirmed that a series of packages believed to contain malicious code have been pushed to npm since around 10:00 PM on September 8, 2025 (Japan time). The affected packages are 18 highly popular packages with a combined weekly download count of 2.6 billion.

Since this incident was discovered, the npm team has removed some of the malicious versions published by the attackers.

According to Junon, the phishing email was sent from an address similar to the legitimate address npmjs.com: [email protected]. The email stated, 'As part of our ongoing efforts to ensure your account security, we are asking all users to update their two-factor authentication information. Our records show that it has been more than 12 months since your last update,' and included a link to a phishing site. It has also been noted that the domain used in the phishing email was acquired just two days before the email was sent.

'I was hacked. I'm sorry. I'm really embarrassed. At first glance, I thought it was a legitimate site. I'm not making excuses. I've just had a long week, been busy this morning, and was trying to get some things done. I would normally go directly to the site, but I was on my mobile device and made the mistake of clicking a link in an email,' Junon wrote .

According to reports from recipients of the phishing emails, the attackers have also targeted other package maintainers and developers using similar emails. Security firm Privy points out that 'to be affected, certain conditions must be met, such as a fresh install occurring within approximately two and a half hours of the package being compromised and creating a package-lock.json file during that time. Therefore, the impact is likely to be significantly less than expected.'