The largest supply chain attack in JavaScript history
- Loïc Castel
- 7 days ago
- 4 min read
Document version : 1.0
Initial publication date : September 9, 2025
Author : Loïc Castel
Summary :
Introduction and Summary of Facts
On September 8, 2025 , the JavaScript ecosystem was hit by what is believed to be the largest supply chain attack in its history . A maintainer known as " qix " was targeted by a sophisticated phishing campaign, allowing attackers to compromise 18 popular NPM packages.
Compromised packages include core libraries such as chalk (300 million downloads per week), debug (357.6 million), strip-ansi (261 million), and color-convert (193 million). In total, these packages have over 2.6 billion weekly downloads , potentially affecting millions of projects worldwide.
The full list is available on the Aikido blog, the company that reported the information the fastest:
The particularity of this attack lies in its specific targeting: unlike classic attacks targeting development environments, the injected malware directly targets cryptocurrency transactions carried out from browsers , transforming development tools into sophisticated crypto-stealers.
Timeline of the attack
September 8, 2025, 1:16 PM UTC (T) : Malicious packets begin publishing
T+10 minutes : The attack is identified by automated monitoring systems
T+1 hour : Alert issued
T+2 hours : Total availability time of compromised versions
September 8, 2025, at 10:19 PM UTC : Purging of build caches by platforms like Vercel ( https://vercel.com/blog/critical-npm-supply-chain-attack-response-september-8-2025 )
Impacts for users and targets of this campaign
Risks to end users
Users of browser-based crypto wallets (MetaMask, Phantom, Trust Wallet) are the main victims of this attack. The malware acts as an advanced crypto-clipper that:
Intercepts Web3 interactions in real time
Substitutes destination addresses with wallets controlled by the attackers
Manipulates transactions before signing, making fraud invisible
Targets multiple blockchains : Ethereum, Bitcoin, Solana, Tron, Litecoin and Bitcoin Cash
Infection vector: Targeted phishing
The attack began with a sophisticated phishing campaign targeting NPM maintainers. The attackers:
Created the npmjs[.]help domain three days before the attack
Sent emails from support@npmjs[.]help mimicking official support
Threatened with account lockout before September 10, 2025
Used phishing pages hosted on BunnyCDN to steal 2FA credentials
Technical analysis of the malicious payload
The injected code uses a dual attack strategy :
Passive Attack: Intelligent Address Replacement
The "monkey-patch" malware exploits the browser's fetch and XMLHttpRequest functions to intercept all data streams. It uses a Levenshtein distance algorithm to select, from its predefined lists of addresses, the one that most visually resembles the user's legitimate address . This technique makes the substitution virtually undetectable to the naked eye.
Active Attack: Transaction Theft
When a crypto wallet is detected, the malware intercepts the communication methods ( request , send ) before sending to the wallet for signature. It directly modifies the transaction data in memory, replacing the recipient's address with an address controlled by the attacker: 0xFc4a4858bafef54D1b1d7697bfb5c52F4c166976 .
Actual damage from the attack
Despite the theoretical scale of this attack, the financial damage was limited to less than $50 . According to the Security Alliance, only the Ethereum address 0xFc4a48... received stolen funds. This low profitability is explained by:
Rapid attack detection (5 minutes )
The community's immediate reaction to remove malicious packages
Unfavorable timing ( weekend, low crypto activity)
Active monitoring of blockchain addresses by security researchers
Safety recommendations
In the event of a confirmed detection, Safercy strongly recommends contacting a company specializing in incident response in order to validate the impacts of the attack.
Here is a command line to detect the malicious code using ripgrep or grep :
rg -u --max-columns=80 _0x112fa8
grep -R _0x112fa8 . For developers
Immediate dependency audit : Check for compromised versions in your projects using the following command, for example:
npm auditUsing NPM Overrides : Forcing Safe Versions in Your Package.json
Complete rebuild : Remove node_modules and package-lock.json , then reinstall
For cryptocurrency users
Recommended hardware wallets : Favor devices with a secure screen supporting Clear Signing
Systematic verification : Always check destination addresses before signing
Avoid blind signing : Never sign transactions without full verification
Updating Browsers and Extensions : Keeping Software Wallets Up to Date
For businesses
Supply chain monitoring : Implement automated monitoring tools ( SaferFind allows this type of supervision)
Secure CI/CD Environments : Use Isolated and Controlled Runners
Dependency Policy : Freeze Critical Versions and Audit Updates
Team training : Raise awareness of phishing techniques targeting developers (Safercy can also support you through workshops and training)
Need help securing your infrastructure?
This attack demonstrates the criticality of supply chain security in the modern development ecosystem. The consequences could have been catastrophic without the rapid detection and coordinated response of the security community.
Safercy helps companies secure their software supply chains and respond to security incidents. Our team of cybersecurity experts can help you:
Audit your dependencies and identify risks
Implement real-time monitoring solutions
Train your teams in good security practices
Respond quickly to security incidents
In the face of constantly evolving threats, preparation and expertise make the difference between a controlled crisis and a disaster.
Indicators of Compromise
Kind | Value |
Domain | npmjs[.]help |
