Introduction
In September 2025, the JavaScript ecosystem experienced one of its most significant supply-chain scares to date. Malicious code was slipped into some of the most popular npm packages in the world. Collectively, these packages accounted for more than 2 billion weekly downloads. Surprisingly, the attackers didn’t use a new zero-day exploit or advanced malware to get in. Instead, they used the oldest trick in the book: phishing, or more accurately, spear-phishing.
How It Started: Spear-Phishing Maintainers
On 5 September, attackers registered a fake domain: npmjs.help.
Soon after, they launched a spear-phishing campaign using the address support@npmjs.help.
Emails warned package maintainers that their two-factor authentication (2FA) setup was outdated and accounts would be locked on 10 September unless they updated immediately.
The link in the email led to a phishing portal that perfectly mimicked npm’s login page. Any credentials entered there, including one-time 2FA codes, were silently sent to the attackers.
At least one maintainer, Josh Junon (known for the “chalk” and “debug” packages), confirmed falling victim. With his account in hand, the attackers had all they needed.
The Attack: Malicious Package Updates
On 8 September, around 15:16 SAST, malicious versions of widely used packages including chalk, debug, and ansi-styles were pushed to npm. The inserted code was designed to target cryptocurrency transactions:
It hooked into browser APIs like window.ethereum.
It intercepted network requests (fetch, XMLHttpRequest).
It scanned for crypto wallet addresses in data and silently replaced them with attacker-controlled addresses.
On Solana, the code even broke transactions by replacing recipients with an invalid string.
Impact: A Narrow Infection Window
The good news?
The malicious versions were live for only about two hours (8 September, ~15:00–17:30 SAST).
Only users who performed fresh installs during that window, generating a new package-lock.json, were at risk.
The bad news?
Those packages collectively reach billions of developers.
Anyone installing during the window could have unknowingly shipped malware downstream.
Financial Losses
Despite the massive potential, the actual crypto theft was tiny:
Around $0.05 in ETH
Roughly $20 in an obscure token
The real cost is in trust and cleanup. Teams worldwide scrambled to patch, audit dependencies, and reassure customers.
Why It Matters
This attack highlights the fragility of the software supply chain:
A single spear-phished maintainer opened the door to billions of potential victims.
Even short-lived attacks can ripple globally in minutes.
The financial damage this time was minimal, but the lesson is clear: the stakes are high.
Key Takeaways for Developers & Teams
Be vigilant against spear-phishing. Even seasoned developers can be fooled by urgent, convincing messages.
Verify domains. npmjs.help looked plausible at a glance, but was malicious.
Use strong authentication. Hardware security keys offer stronger protection than SMS or app-based 2FA alone.
Audit dependencies regularly. Even trusted packages can become compromised. The September 2025 npm attack will be remembered not for the money stolen, but for the wake-up call it delivered. The software supply chain is only as strong as its weakest link, and in this case, one phished maintainer account was almost enough to unravel it.
Next time, the outcome may not be so forgiving.
Get Prventi today and strengthen your teams cyber defence
Don’t wait for an attack. Prepare your business with Prventi’s phishing simulation and innovative cybersecurity training.
No credit card required. Cancel anytime.
