A widespread supply-chain attack has hit the npm ecosystem after attackers gained control of a prominent maintainer account and pushed malicious updates to 18 popular JavaScript packages. The compromised libraries together see about 2 billion weekly downloads, allowing the injected code to silently detect Web3 wallets in browsers and attempt to redirect cryptocurrency transactions to attacker-controlled addresses.
The breach began with a convincing phishing message that enabled a two-factor reset, letting the intruders publish poisoned versions before maintainers and security teams rolled back changes. The incident underlines how fragile open-source supply chains remain and renews calls for stricter account protections and provenance checks.
List of compromised npm packages
- backslash – 0.26M weekly downloads
- chalk-template – 3.9M weekly downloads
- supports-hyperlinks – 19.2M weekly downloads
- has-ansi – 12.1M weekly downloads
- simple-swizzle – 26.26M weekly downloads
- color-string – 27.48M weekly downloads
- error-ex – 47.17M weekly downloads
- color-name – 191.71M weekly downloads
- is-arrayish – 73.8M weekly downloads
- slice-ansi – 59.8M weekly downloads
- color-convert – 193.5M weekly downloads
- wrap-ansi – 197.99M weekly downloads
- ansi-regex – 243.64M weekly downloads
- supports-color – 287.1M weekly downloads
- strip-ansi – 261.17M weekly downloads
- chalk – 299.99M weekly downloads
- debug – 357.6M weekly downloads
- ansi-styles – 371.41M weekly downloads
- ansi-regex 6.2.1
- ansi-styles 6.2.2
- backslash 0.2.1
- chalk 5.6.1
- chalk-template 1.1.1
- color-convert 3.1.1
- color-name 2.0.1
- color-string 2.1.1
- debug 4.4.2
- error-ex 1.3.3
- has-ansi 6.0.1
- is-arrayish 0.3.3
- simple-swizzle 0.2.3
- slice-ansi 7.1.1
- strip-ansi 7.1.1
- supports-color 10.2.1
- supports-hyperlinks 4.1.1
- wrap-ansi 9.0.1