pull down to refresh

from Claude...
Based on the research I've gathered, here are the 18 specific NPM packages that were compromised in this supply chain attack:

The Compromised Packages (with weekly download numbers):

Starting at September 8th, 13:16 UTC, these 18 very popular packages were compromised:
Highest Impact Packages:
  • ansi-styles - 371.41 million downloads/week
  • debug - 357.6 million downloads/week
  • chalk - 299.99 million downloads/week
  • strip-ansi - 261.17 million downloads/week
  • ansi-regex - 243.64 million downloads/week
  • wrap-ansi - 197.99 million downloads/week
  • color-convert - 193.5 million downloads/week
  • color-name - 191.71 million downloads/week
Medium Impact Packages:
  • is-arrayish - 73.8 million downloads/week
  • slice-ansi - 59.8 million downloads/week
  • error-ex - 47.17 million downloads/week
  • color-string - 27.48 million downloads/week
  • simple-swizzle - 26.26 million downloads/week
  • supports-hyperlinks - 19.2 million downloads/week
  • has-ansi - 12.1 million downloads/week
Lower Impact Packages:
  • chalk-template - 3.9 million downloads/week
  • supports-color - 287.1 million downloads/week
  • backslash - 0.26 million downloads/week

What These Packages Do

These are all fundamental utility packages that handle basic functions like:
  • Text coloring and formatting (chalk, ansi-styles, color-convert)
  • Debugging output (debug)
  • String manipulation (strip-ansi, wrap-ansi)
  • Error handling (error-ex)

The Scale

These utilities underpin much of the modern web and collectively account for more than 2.6 billion weekly downloads. They're the kind of packages that get included in almost every JavaScript project without developers even realizing it.

How the Attack Happened

Hackers compromised the npm account of Josh Goldberg, a well-known open-source maintainer known as "Qix," through a phishing campaign that targeted npm maintainers with emails impersonating the platform's support team.
These aren't flashy frameworks - they're the invisible building blocks that millions of websites and applications depend on, which is exactly what made this attack so devastating.
reply
How the heck does an experienced open source maintainer fall for a phishing attack?
It must have been a very sophisticated and convincing phishing attempt?!
reply
reply
132 sats \ 5 replies \ @freetx 17h
Something about this story is strange: So a NPM library has been downloaded a billion times is suddenly discovered to have BTC address-swapping code?
The only way I can see that as plausible is if some major exchange: Binance / Coinbase, etc is using said NPM library. What other "wallets" could account for a billion downloads?
reply
Yeah, I don't get it either. Good thing I use a wallet that doesn't use npm.
reply
94 sats \ 1 reply \ @freetx 17h
So here is the gist of all the swap addresses extracted from malware. https://gist.github.com/jdstaerk/f845fbc1babad2b2c5af93916dd7e9fb
I've checked about 10 of the 'bc1' bitcoin ones and don't see any transactions.
I've also checked some of the eth ones on etherscan and don't see any meaningful activity on those....(a few .000015 transactions, that may be test from original malware developer, but nothing significant).
So what does this mean? A billion downloads and no transactions?
reply
Me neither. maybe folks are stepping up their game and checking the full address instead of just the beginning and end.
reply
reply
11 sats \ 0 replies \ @freetx 17h
The code first checks for the existence of window.ethereum, an object injected by wallet extensions like MetaMask. If no wallet is found, it proceeds with a passive attack.
Hmm...yes I forgot about MetaMask....thats probably the intended target.
reply
Thanks!
reply
56 sats \ 0 replies \ @ek 17h
Our package-lock.json specified the stable version 1.3.2 or newer, so it installed the latest version 1.3.3, which got published just a few minutes earlier.
I assume they meant package.json and this only happens when you run npm install, not npm ci?
Isn't my package-lock.json specifying exactly which version of dependencies to install for npm ci?
reply