If you are a package maintainer of software used by others, you may not be a target like journalists or government officials but a target nonetheless. Earlier today one maintainer fell victim to something that could have impacted any overworked software engineer, a message that was a well disguised spear phishing campaign. See: Security Alert | chalk, debug and color on npm compromised in new supply chain attack
This is a reminder that whether you deploy libraries on npm, pypi, cargo, and many more to stay vigilant.
Spear Phishing
Spear phishing is a more targeted version of phishing which is what makes it so effective. Instead of a random email blast to thousands of college students, stay-at-home parents and busy professionals -- its tailored to target and trick you specifically. The maintainers of packages in a repository is not kept secret. They are often kindly sharing their work for the benefit of the community at large. That means an attacker can discover names, contact info, and nature of the work of popular packages without a lot of effort.
The message they send isn’t “Meet singles in your area,” it’s more like “Update your security settings before you lose access.” That small difference is why people fall for it because it is appropriate and sparks a sense of urgency.
What makes this dangerous for open source maintainers is that trust extends beyond the individual. If your account is compromised, the attacker potentially gains access to publish new versions of your package. Any downstream consumers, CI/CD systems, or even enterprises could unknowingly install malware. One cracked maintainer account can cascade into a supply chain incident like we saw today.
Security Notice: Two-Factor Authentication Update Required
A rather official looking message was sent to maintainers of packages hosted on npmjs.com that they were overdue for a two-factor update.
The message came from a domain that closely resembled the official NPM registry:
Date: Mon, 08 Sep 2025 00:30:21 +0000
From: npm <support@npmjs.help>
Subject: Two-Factor Authentication Update Required
It was free of typos and other errors typically found in spam messages:
As part of our ongoing commitment to account security, we are requesting that
all users update their Two-Factor Authentication (2FA) credentials. Our records
indicate that it has been over 12 months since your last 2FA update.
To maintain the security and integrity of your account, we kindly ask that you
complete this update at your earliest convenience. Please note that accounts
with outdated 2FA credentials will be temporarily locked starting September 10,
2025, to prevent unauthorized access.
[Update 2FA Now]
If you have any questions or require assistance, our support team is available to help. You
may contact us through this link.
Spotting Red Flags in Phishing Emails
Many major corporations have annual mandatory training on how to spot issues like this. This doesn't mean every maintainer does.
Domain Lookalikes
The domain npmjs.help was chosen because it looks like npmjs.com and attackers will often purchase similar domains or TLDs.
Urgent Call to Action
For something like a 2FA reset, chances are you will have been notified multiple times. If you've ignored earlier warnings it may be time to read more closely, but if its the first time you've seen a message to reset your password or credentials there is reason to be suspicious.
Links Behind Buttons
Double check that you trust any URL that a link or button will take you to. If you disable images displayed from unknown senders or more stoically just read text-only rather than HTML emails you may already have a leg up for inspection.
Final Thoughts
I have sympathy for any individuals who are compromised from a coordinated campaign like this. It was executed really well from a social engineering perspective, even if the malware was ineffective The Largest Supply Chain Attack Stole 5 Cents it can happen to any maintainer.
Top comments (0)