On September 8, 2025, a massive npm supply chain attack compromised 18 foundational JavaScript packages, putting billions of applications at risk. This sophisticated incident began with a phishing campaign targeting a prominent package maintainer, Josh Junon, who was lured into providing his login and two-factor authentication (2FA) credentials on a fake npm website. Attackers then used this access to publish malicious updates containing hidden code designed to monitor and redirect cryptocurrency transactions in web browsers. The affected packages, including “ansi-styles” and “chalk,” collectively accounted for over 2.6 billion weekly downloads, demonstrating the widespread impact of a single maintainer’s compromise. Both sources emphasize the urgent need for developers to audit dependencies, update to clean versions, and implement stronger security measures, such as phish-resistant 2FA and regular monitoring, to prevent future attacks.
