Unknown Actors Launch High Severity NPM Supply Chain Malware Attack

Threat Group – Unknown criminal actors via phishing campaign
Threat Type – Supply-Chain Attack / Malware Injection
Exploited Vulnerabilities – Phishing via typosquatted domain, credential theft, token misuse
Malware Used – Crypto-wallet address swap, WebSocket-based backdoor, Scavenger infostealer
Threat Score – 7.5 🔴 High – Advanced targeted attack on trusted dev ecosystem; widespread impact and high stealth
Last Threat Observation – September 9 2025

Overview

A highly sophisticated and wide-reaching supply-chain attack targeted the NPM ecosystem in early September 2025. Attackers deployed phishing emails from domains mimicking official npm communications to steal credentials from prominent maintainers. This allowed them to inject malware into numerous popular NPM packages—collectively downloaded billions of times per week—with the intent to compromise developer environments and manipulate cryptocurrency transactions.

Key Details

Delivery Method

• Phishing campaign via a spoofed domain requesting 2FA reset. One developer complied under stress, enabling account takeover.
• Attackers exploited stolen credentials to inject malicious code directly into existing trusted NPM packages hosted on the registry.

Targets

• Over 18 high-profile NPM packages, with billions of weekly downloads.
• Compromise confirmed in widely used packages including developer utilities and core JavaScript libraries.

Functions

• Crypto-wallet address swapping, automatically redirecting funds to attacker-controlled accounts
• WebSocket-based backdoors enabling remote code execution
• Scavenger infostealer malware harvesting browser-stored secrets such as tokens and credentials

Obfuscation

• Use of legitimate-looking domains and email content to bypass suspicion
• Injection of malicious code into well-established packages, making detection more difficult

Attack Vectors

1. Phishing email → fake 2FA link → credential/token theft
2. Registry access → malicious package publication
3. Downstream installation → malware execution (crypto redirect, backdoor, data theft)

Known Indicators of Compromise (IoCs)

Domains

• npmjs[.]help

Hashes & Scripts

• SHA-256: c68e42f416f482d43653f36cd14384270b54b68d6496a8e34ce887687de5b441
• SHA-256: 5bed39728e404838ecd679df65048abcb443f8c7a9484702a2ded60104b8c4a9
• C2 domains: firebase[.]su, dieorsuffer[.]com, smartscreen-api[.]com
• Payload script: install.js

Compromised Packages & Versions

• is: versions 3.3.1 through 5.0.0
• eslint-config-prettier: versions 8.10.1, 9.1.1, 10.1.6, 10.1.7
• eslint-plugin-prettier, synckit@0.11.9, @pkgr/core@0.2.8, napi-postinstall@0.3.1
• ansi-styles@6.2.2
• debug@4.4.2
• chalk@5.6.1
• supports-color@10.2.1
• strip-ansi@7.1.1
• ansi-regex@6.2.1
• wrap-ansi@9.0.1
• color-convert@3.1.1
• color-name@2.0.1
• is-arrayish@0.3.3
• slice-ansi@7.1.1
• color@5.0.1
• color-string@2.1.1
• simple-swizzle@0.2.3
• supports-hyperlinks@4.1.1
• has-ansi@6.0.1
• chalk-template@1.1.1
• backslash@0.2.1
• error-ex@1.3.3

Mitigation and Prevention

User Awareness

• Educate maintainers on targeted phishing threats, especially fake 2FA communications
• Reinforce verification of email domains and links before interaction

Email Filtering

• Block phishing attempts from domains similar to official npm domains

Antivirus & Endpoint Protection

• Ensure tools detect Scavenger-style payloads, backdoors, and remote execution modules

Two-Factor Authentication (2FA)

• Strongly enforce MFA on maintainer accounts; verify robustness against phishing

Log Monitoring

• Monitor for unusual publishing activity such as sudden version spikes
• Track traffic to suspicious domains and anomalies in post-install scripts

Regular Updates

• Revert to known good versions; uninstall suspicious ones
• Encourage dependency pinning and integrity verification

Risk Assessment

Threat Score: 7.5 🔴 High

• Scope & Impact: Extremely broad—billions of downloads impacted
• Stealth & Sophistication: Advanced phishing, crypto redirection, backdoors, multi-stage infostealers
• Detectability & Response: Limited window before detection; registry-only injection bypassed GitHub reviews
• Remediation Complexity: Requires ecosystem-wide updates, credential revocation, and developer training

Conclusion

The September 2025 NPM supply-chain attack represents one of the most severe incidents in the open-source ecosystem. By leveraging phishing and registry-level compromise, attackers injected malware into trusted packages, enabling remote execution, data theft, and cryptocurrency redirection. The event highlights the critical importance of phishing resistance, MFA enforcement, package integrity checks, and continuous monitoring. Organisations must remain vigilant and strengthen their supply-chain security posture.

Sources

• ox - 18 npm Packages Compromised in Major Supply-Chain Attack - https://www.ox.security/blog/npm-packages-compromised/
• ITNews – Phishing Attack Nets Enormous NPM Supply Chain Compromise – https://www.itnews.com.au/news/phishing-attack-nets-enormous-npm-supply-chain-compromise-620170
• Ars Technica – Software Packages With More Than 2 Billion Weekly Downloads Hit in Supply Chain Attack – https://arstechnica.com/security/2025/09/software-packages-with-more-than-2-billion-weekly-downloads-hit-in-supply-chain-attack