Massive npm supply‑chain compromise injects browser crypto‑stealer into 18 packages
Key update
On September 8, 2025, attackers phished the npm account of a prolific maintainer (Qix / Josh Junon) and published malicious releases across 18 packages with a combined weekly download count measured in the billions; the injected code executes in browsers to intercept wallet/network APIs and rewrite cryptocurrency recipients so funds are diverted to attacker-controlled addresses. (pt.aikido.dev)
Why it matters
This is not a theoretical repository compromise: these packages (chalk, debug, ansi‑styles and several small but highly transitive utilities) sit in huge dependency graphs and are routinely bundled into frontend builds. The payload only runs in browser contexts, so servers running Node.js were not directly executing the malicious logic, but any build that included the trojaned versions and shipped frontend assets could have exposed end users’ crypto flows during the short live window. Containment actions taken by the community and registry removed the versions quickly, but remediation is operationally painful: teams must pin and rebuild artifacts, purge caches and CDNs, verify lockfiles and deployment artifacts, and treat this as a live supply‑chain incident for incident response and post‑mortem work. (pt.aikido.dev)
Source
Read Next
Node.js v25 scheduled for 2025‑10‑15 — semver‑major release imminent
September 30, 2025Node.js v25 is scheduled for October 15, 2025 (commit cutoff 2025‑09‑15). Teams should run CI against the new major, validate native modules, and prepare canary deployments.
Azure Functions Proxies: community support ends 2025‑09‑30 — migrate off Proxies now
September 29, 2025Azure announced Azure Functions Proxies will be unsupported after 2025‑09‑30; teams still using Proxies must inventory and migrate to a supported API surface (APIM, Front Door, or a lightweight reverse proxy) immediately.
NodeShield: runtime SBOM enforcement (CBOM) for Node.js limits supply‑chain attacks with negligible overhead
September 28, 2025A new paper introduces NodeShield, a runtime enforcement system that uses SBOMs extended with per‑dependency capabilities (CBOM) to prevent supply‑chain abuses in Node.js with ~98% effectiveness and <1ms overhead.