DEV Community

Cover image for 🚨 Largest NPM Compromise in History: A Deep Dive into the 2025 Supply Chain Attack
Devam Chaudhari
Devam Chaudhari

Posted on

🚨 Largest NPM Compromise in History: A Deep Dive into the 2025 Supply Chain Attack

#npm #supplychainattack #opensourcesecurity #javascript
  • In what is being hailed as the most extensive supply chain attack in the history of the npm ecosystem, 18 widely-used JavaScript packages—including chalk, debug, and ansi-styles—were compromised with malicious code. This breach affected packages with over 2 billion weekly downloads, highlighting a critical vulnerability in the open-source supply chain.

🧩 The Attack Unfolded

  • The breach was traced back to a phishing attack targeting qix, the primary maintainer of several popular npm packages. The attacker impersonated npm support, convincing qix to update their two-factor authentication settings. Once compromised, the attacker published malicious versions of 18 packages, embedding a cryptocurrency drainer malware designed to hijack Web3 wallet transactions

📦 Affected Packages

The compromised packages included:

These packages are deeply integrated into major frameworks and tools, including React, Next.js, and Express, making the attack's reach extensive

🔍 Technical Details

  • The malicious code was designed to monitor for Web3 wallet addresses and replace them with the attacker's own address, redirecting cryptocurrency transactions in real-time. This sophisticated approach allowed the attacker to intercept funds without alerting the user.

  • Security experts have advised developers to audit their dependencies for the presence of the malicious code. One method suggested is searching for the string _0x112fa8 within the project's dependency tree

🛡️ Community Response and Mitigation

  • The npm community responded swiftly to the breach. The compromised versions were removed from the registry, and maintainers issued advisories to update to safe versions. Security tools like Semgrep and Aikido have been updated to detect the malicious code in affected packages.

  • Discussions on platforms like Reddit and Hacker News have highlighted the risks associated with deep dependency chains and the challenges of securing the open-source supply chain. Some community members have pointed out that the attack's focus on cryptocurrency transactions underscores the need for better security practices in handling sensitive data within the npm ecosystem

🔗 Further Reading

GitHub Issue #656 – Chalk

Reddit Discussion on r/programming

Security Alliance Report

Top comments (0)