SciPHRnpm Maintainer Phished, 18 Packages Compromised
This week, a maintainer on npm (the package hub for JavaScript) was tricked by a fake two-factor reset. Attackers took the account and pushed malicious updates to about 18 popular libraries, including chalk and debug.
Those packages see roughly two billion downloads a week, and the injected code tried to swap crypto addresses while people sent funds in their browser.
Our take: Tools extend the developer, and dependencies extend the blast radius. Know what you install. Read the changelog before you bump. Pin exact versions. Verify signatures or hashes when vendors offer them.
If you get hit, disclose fast, rotate keys, ship a clean patch, and share indicators so others can check their systems.
Nothing is 100% safe. Knowledge narrows the blast radius. How you do anything is how you do everything.
Source: https://www.aikido.dev/blog/npm-debug-and-chalk-packages-compromised · https://krebsonsecurity.com/2025/09/18-popular-code-packages-hacked-rigged-to-steal-crypto/ · https://jfrog.com/blog/new-compromised-packages-in-largest-npm-attack-in-history/ · https://www.sonatype.com/blog/npm-chalk-and-debug-packages-hit-in-software-supply-chain-attack · https://www.paloaltonetworks.com/blog/cloud-security/npm-supply-chain-attack/
Related