Blog categories
Weekly newsletter
No spam. Just the latest releases and tips, interesting articles, and exclusive interviews in your inbox every week.
Latest from the blog
Unpacking the Recent npm Supply Chain Attack: What We Know So Far
Posted on: 10 September 2025 | Author: Foresiet
The software supply chain has once again come under fire, with npm — the world’s largest package ecosystem — at the center of one of the most significant compromises to date. Recent findings suggest that attackers successfully hijacked a maintainer account through phishing, injecting malicious code into popular open-source packages with billions of weekly downloads.
This incident is already being described as one of the largest supply chain attacks in history, not only because of the sheer number of affected downloads, but also because of the critical role these libraries play in modern web applications. Libraries such as debug, chalk, ansi-styles, strip-ansi, and supports-color are foundational dependencies, directly or indirectly powering countless frameworks, SaaS applications, and enterprise solutions.
How the Attack Unfolded
While the full technical details are still emerging, the initial vector appears to be a phishing campaign targeting npm maintainers. Attackers tricked maintainers into logging into fake npm portals, harvesting credentials and publishing tokens. With this access, they were able to push malicious versions of well-known packages.
The malicious code primarily targeted cryptocurrency-related activities. Obfuscated scripts modified index.js files to intercept transactions, replace legitimate wallet addresses with attacker-controlled addresses, and tamper with APIs, websites, and wallet interactions.
Extracted from the obfuscated script, we identified several blockchain addresses used in this campaign:
0x66a9893c07D91D95644AEDD05D03f95e1dBA8Af
0x10ed43c718714eb63d5aa57b78b54704e256024e
0x13f4ea83d0bd40e75c8222255bc855a974568dd4
0x1111111254eeb25477b68fb85ed929f73a960582
0xd9e1ce17f2641f24ae83637ab66a2cca9c378b9f
At this stage, it is important to note that many of these are swap contract addresses (for example, the Uniswap v4 universal router) rather than direct attacker wallets. However, they illustrate how the malicious payload was designed to hook into financial flows and manipulate them for illicit gain.
Compromised Packages
Based on our current analysis, at least 18 npm packages were compromised during this incident. Together, these account for over 2.6 billion weekly downloads. Among them:
- ansi-styles (371.41M)
- debug (357.6M)
- backslash (0.26M)
- chalk-template (3.9M)
- supports-hyperlinks (19.2M)
- has-ansi (12.1M)
- simple-swizzle (26.26M)
- color-string (27.48M)
- error-ex (47.17M)
- color-name (191.71M)
- is-arrayish (73.8M)
- slice-ansi (59.8M)
- color-convert (193.5M)
- wrap-ansi (197.99M)
- ansi-regex (243.64M)
- supports-color (287.1M)
- strip-ansi (261.17M)
- chalk (299.99M)
The scale of this compromise is unprecedented: these packages form the backbone of applications used by startups, Fortune 500 companies, and everything in between.
CVE and Ongoing Analysis
At this time, there is no confirmed CVE directly tied to this specific wave of attacks. However, a recently assigned CVE (CVE-2025-54313) for malicious versions of eslint-config-prettier — which leveraged post-install scripts to drop Windows malware — demonstrates how quickly these incidents are surfacing in the ecosystem.
It is believed that the npm compromise may be linked or at least shares techniques with the same threat actors who were involved in the Bytebee-related compromises earlier this year. Our team is actively analyzing overlaps between these incidents and continues to monitor for newly assigned CVEs.
At this stage, we emphasize caution: the attribution, wallet involvement, and exploit mechanisms remain under investigation. Our analysis is ongoing, and further technical details will be released as verification proceeds.
What This Means for the Ecosystem
This incident reinforces a harsh reality: open-source supply chain security is fragile. Attackers no longer need to find zero-day vulnerabilities in software — instead, they exploit the trust placed in maintainers and distribution platforms. By phishing a single maintainer, they can instantly compromise hundreds of millions of downstream projects.
For developers and organizations, this attack highlights the urgent need for:
- Mandatory multi-factor authentication (MFA) for all maintainers.
- Automated package integrity checks (e.g., verifying checksums).
- Dependency monitoring and alerts for anomalous version releases.
- Consideration of software bill of materials (SBOM) in critical environments.
Conclusion
The npm compromise is still unfolding, and while early signs indicate that direct financial theft may have been limited, the broader implications are enormous. Billions of downloads were exposed to malicious code, and the reputational impact to open-source supply chains will last much longer.
Our team is actively engaged in tracking this incident, mapping attacker infrastructure, and correlating potential CVEs. We will continue to provide updates as our investigation deepens.
For now, the key takeaway is clear: the supply chain is under attack, and vigilance is no longer optional.
About us!
Foresiet is the pioneering force in digital security solutions, offering the first integrated Digital Risk Protection SaaS platform. With 24x7x365 dark web monitoring and proactive threat intelligence, Foresiet safeguards against data breaches and intellectual property theft. Our robust suite includes brand protection, takedown services, and supply chain assessment, enhancing your organization’s defense mechanisms. Attack surface management is a key component of our approach, ensuring comprehensive protection across all vulnerable points. Compliance is assured through adherence to ISO27001, NIST, GDPR, PCI, SOX, HIPAA, SAMA, CITC, and Third Party regulations. Additionally, our advanced antiphishing shield provides unparalleled protection against malicious emails. Trust Foresiet to empower your organization to navigate the digital landscape securely and confidently.
Latest
From the blog
The latest industry news, interviews, technologies, and resources.