Which is being called the biggest supply chain attack in history, the attackers have injected malware in NPM package with 2.6 billion weekly downloads after compromising with a maintenance account in a fishing attack.
Package Confirmed Today’s incident was known today, stating that he came to compromise and a fishing email, it was known about it. Support (AT) NPMJS (DOT)A domain that hosts a website applying valid npmjs.com domains.
In the email, the attackers threatened that the accounts of the targeted maintenance will be closed on September 10, 2025, as a intimidation strategy to redirect them to click on the link to them to redirect them to the fishing sites.
“As part of our ongoing commitment to account safety, we are requesting that all users update their two-integral authentication (2FA) credentials. Our records indicate that it has exceeded 12 months of your previous 2FA update,” reads emails.
“To maintain your account safety and integrity, we please ask that you complete this update at your initial feature. Please note that the accounts with old 2FA credentials will be temporarily started from September 10, 2025, so that to prevent unauthorized access.”
According to the attackers targeted other package maintenance and developers using the same email Reports From those who receive fishing messages.
Bleepingcomputer found that NPMJS (.) Help page also includes a login form that will exfiltrate credentials input for the following URL:
https://websocket-api2(.)publicvm.com/images/jpg-to-png.php?name=(name)&pass=(password)
Supply chain attack
According to Aikido security, which Analysis of supply-series attackThe danger actors updated the package after taking control, injecting malicious codes that serve as a browser-based interceptor in index.JS files, capable of kidnapping network traffic and application APIs.
The malicious code affects individuals reaching the applications compromised only on the web, monitoring the cryptocurrency addresses and transactions that are then redigned to the attacking-controlled wallet address. This transaction is kidnapped instead of being sent to the kidnapped address by the attackers.
Malware operates By injecting yourself in web browserMonitoring atherium, bitcoin, solana, tron, litcoin, and bitcoin cache wallet address or transfer. On network reactions with crypto transactions, it replaces destinations with an attacker-controlled address and kidnapping transactions before signing.
So far, collectively kidnapped packages have more than 2.6 billion downloads:
- Backslash (0.26 meter download per week)
- Chalk-template (3.9 meter download per week)
- Support-Hyperlink (19.2 meter download per week)
- HAS-ANSI (12.1m download per week)
- Simple-Swimsal (26.26 meter download per week)
- Color-string (27.48 meters download per week)
- Error-Ex (47.17m download per week)
- Color-name (191.71 m download per week)
- IS-Arrayish (73.8 meter download per week)
- Slice-Anisi (59.8 meter download per week)
- Color-Custwart (193.5 m download) per week)
- Rap-Anisi (197.99 meter download per week)
- Ansi-Regex (243.64m download per week)
- Support (287.1m download per week)
- Strip-Anisi (261.17m download per week)
- Chalk (299.99 meter download per week)
- Debug (357.6 meters download per week)
- Ansi-Styles (371.41m Download per week)
“The packages were updated to include a piece of code, which will be executed at the client of a website, which quietly integrates the crypto and web 3 activity in the browser, manipulates the wallet interaction, and re-writes the payment sites so that the funds and approval can be rejected.
“What makes it dangerous is that it operates on many layers: changing the content shown on websites, tampering with API calls, and users’ apps what they believe that they are signing.”
This supply-series attack follows a series of similar attacks targeting developers of various famous JavaScript libraries in the last few months.
For example, in July, the attackers compromised a package with Eslint-Config-Prettier, more than 30 million weekly downloads, while in March, ten other widely used NPM libraries were kidnapped and converted into information-scores.
This is a developing story…
The passwords broke in 46% of the atmosphere, almost doubled by 25% last year.
Picus Blue Report 2025 Now get a wider look at more conclusions on prevention, detection and data exfIs.
