In the largest supply chain attack, hackers compromised 18 popular npm packages, which together account for over two billion downloads per week. The attack, which began on September 8th, involved injecting malicious code designed to steal cryptocurrency from users.<\/p>\n
The compromised packages include widely used libraries such as The malware silently intercepts cryptocurrency and Web3 activities within the browser, manipulating wallet interactions and rewriting payment destinations to redirect funds to attacker-controlled accounts.<\/p>\n The malware operates as a sophisticated in-browser interceptor, targeting both network traffic and application-level APIs. It achieves this by hooking into core browser functions like The malicious code works in a series of steps:<\/p>\n The maintainer of the compromised packages revealed they fell victim to a phishing attack. An email, seemingly from npm support, was sent from the domain This domain was registered only three days before the attack on September 5, 2025.<\/p>\n The maintainer became aware of the compromise and began taking steps to remove the malicious versions of the packages. However, at the time of the report, at least one package, The incident also revealed that the same attackers may have compromised another package, The following table lists the affected packages and the compromised versions:<\/p>\n Find this Story Interesting! Follow us on Google News<\/a>,\u00a0LinkedIn<\/a>,\u00a0and\u00a0X<\/a>\u00a0to Get More Instant Updates<\/strong>.<\/p>\n The post Hackers Hijacked 18 Very Popular npm Packages With 2 Billion Weekly Downloads<\/a> appeared first on Cyber Security News<\/a>.<\/p>\n<\/div>\nchalk<\/code>, debug<\/code>, ansi-styles<\/code>, and supports-color<\/code>. The malicious code was added in new versions of these packages and was engineered to execute on the client-side of websites using them.<\/p>\nPopular npm Packages Hacked<\/strong><\/h2>\n
fetch<\/code> XMLHttpRequest<\/code>, as well as interfaces for popular crypto wallets for Ethereum<\/a>, Solana, and other blockchains, Akidio observed.<\/p>\n\n
npmjs.help<\/code>, tricking the developer into revealing their credentials, according to a Hacker News post<\/a>.<\/p>\n![\"\"](\"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEg27WW4AL7mELnFS1x-XXC_XtO-uIz80RzKU6XSQe-0oCBhQgUQTon7ZAb5ey-An_iX9MksnQQ1u6t11Yrv6HjHG5Nt5yiL9uanoBnAynXkEosCxbgzdZGU7MZ4Wt1w6D_hUNGOMAK7GZpJTakKJ_72cvgAo3q1xm8BgPRYbrutAOrQ3_v0o_0v9JxAg_tm\/s16000\/68bf028d86e3642f1268253f_050c42b9.webp?ssl=1\")
simple-swizzle<\/code>, remained compromised.<\/p>\nproto-tinker-wc<\/code>, using similar methods.<\/p>\n\n\n
\n \nPackage<\/th>\n Malicious Version<\/th>\n<\/tr>\n<\/thead>\n \n backslash<\/code><\/td>\n0.2.1<\/td>\n<\/tr>\n \n chalk-template<\/code><\/td>\n1.1.1<\/td>\n<\/tr>\n \n supports-hyperlinks<\/code><\/td>\n4.1.1<\/td>\n<\/tr>\n \n has-ansi<\/code><\/td>\n6.0.1<\/td>\n<\/tr>\n \n simple-swizzle<\/code><\/td>\n0.2.3<\/td>\n<\/tr>\n \n color-string<\/code><\/td>\n2.1.1<\/td>\n<\/tr>\n \n error-ex<\/code><\/td>\n1.3.3<\/td>\n<\/tr>\n \n color-name<\/code><\/td>\n2.0.1<\/td>\n<\/tr>\n \n is-arrayish<\/code><\/td>\n0.3.3<\/td>\n<\/tr>\n \n slice-ansi<\/code><\/td>\n7.1.1<\/td>\n<\/tr>\n \n color-convert<\/code><\/td>\n3.1.1<\/td>\n<\/tr>\n \n wrap-ansi<\/code><\/td>\n9.0.1<\/td>\n<\/tr>\n \n ansi-regex<\/code><\/td>\n6.2.1<\/td>\n<\/tr>\n \n supports-color<\/code><\/td>\n10.2.1<\/td>\n<\/tr>\n \n strip-ansi<\/code><\/td>\n7.1.1<\/td>\n<\/tr>\n \n chalk<\/code><\/td>\n5.6.1<\/td>\n<\/tr>\n \n debug<\/code><\/td>\n4.4.2<\/td>\n<\/tr>\n \n ansi-styles<\/code><\/td>\n6.2.2<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/figure>\n