High-Risk NPM Supply Chain Compromise

Uncategorized 1 Minute

Discovered: September 8th, 2025


Impacted Tech: NPM packages – specifically backslash, chalk-template, supports-hyperlinks, has-ansi, simple-swizzle, color-string, error-ex, color-name, is-arrayish, slice-ansi, color-convert, wrap-ansi, ansi-regex, supports-color, strip-ansi, chalk, debug, and ansi-styles


Summary:
On September 8, 2025, Aikido Security detected and disclosed that 18 highly popular npm packages, totaling over 2 billion weekly downloads, were tampered with malicious code immediately after the maintainer’s account was compromised via phishing. The injected code silently intercepts Web3/browser wallet interactions (e.g., MetaMask, Phantom), rewriting transaction destinations so stolen funds are redirected to attacker-controlled accounts. A developer who updated one of these packages could be exposing users to wallet hijacking attacks.


Verify Exposure:
Aikido’s threat intelligence feed detected abnormal package updates and deobfuscated injected payloads within index.js files. Additionally, independent researchers and maintainers – via GitHub issues, npm audit, and community reports – confirmed the presence of malicious code in affected versions such as chalk@5.6.1.

Interim Mitigation Measures:

  • Developers are advised to roll back to known safe versions prior to September 8th, 2025, and run npm audit to detect any flagged versions.
  • Ensure known, malicious versions (like chalk@5.6.1 and debug@4.4.2) are removed from build caches. The npm team has removed some, but not all compromised package versions.
  • Clear or isolate affected environments and rebuild cleanly. The known, affected versions are listed here: https://news.ycombinator.com/item?id=45169657
  • The following command can be used to check whether any compromised packages have been installed (requires ripgrep): rg -u –max-columns=80 _0x112fa8


Urgency: Currently, no attacker-controlled wallets appear to have received funds, however, this vulnerability enables silent financial theft via compromised wallets. The extremely high install base makes this a high-risk vulnerability.

Additional Resources:
Aikido Blog – NPM Debug & Chalk Packages Compromised

BleepingComputer – npm Supply-Chain Attack

Hacker News – Maintainer Post

Unknown's avatar

Published by Bryan Mooney

Published

Leave a comment