Skip to main content
Sign in
npm debug / chalk Supply Chain Attack (September 2025)1 decision on this page

Audit log

Every state-changing event for npm debug / chalk Supply Chain Attack (September 2025): moderation decisions on community submissions, plus corrections and updates from the news pipeline. URL-based decisions carry three independent witnesses — the original source, an Internet Archive snapshot taken at submission time, and a Solana memo signed by our publicly-disclosed publisher key.

  1. #1publishby system:backfill
    2026-06-20 12:11:35Z
    Score: ?? (no score change)
    anchoranchored
    chain
    mainnet-betaslot 427,721,042
    sig
    3XczqRzBFTxv…vCneU2zRexplorer ↗
    hash
    BQsCak1BPxDz…vQnhgFdAsha256 → base58
    verifying row…full verify ↗
    canonical bytes (24177 B) ▸
    {"actor":"system:backfill","investigation_id":"905023a0-e0e6-4b7f-84aa-1e4336c03c59","kind":"publish","page_slug":"npm-debug-chalk-supply-chain-attack-september-2025","published_at":"2026-06-20T12:11:35.706Z","sequence_num":1,"snapshot":{"content_type":"investigation","entity_name":"npm debug / chalk Supply Chain Attack (September 2025)","sections":[{"content":"On September 8, 2025, a coordinated supply chain attack against the npm JavaScript package registry resulted in the compromise of at least 18 widely-used open-source packages. The attacker gained unauthorized access to the npm publishing account of Josh Junon (alias 'qix'), a well-known open-source maintainer responsible for the chalk terminal-styling library and related packages. Within approximately 16 minutes of the account takeover, malicious versions began appearing on the npm registry. The affected packages collectively registered over 2 billion weekly downloads, making this one of the largest compromises in npm registry history by download exposure. Security researchers at Sygnia, Wiz, Palo Alto Networks, Checkmarx, Semgrep, and others published analyses confirming the scope and payload behavior.","heading":"Attack Overview","severity":"critical","sources":[{"credibility":2,"name":"16 Minutes to Impact: npm Supply Chain Abuse Deploys crypto-draining malware - Sygnia","type":"research","url":"https://www.sygnia.co/threat-reports-and-advisories/npm-supply-chain-attack-september-2025/"},{"credibility":2,"name":"Widespread npm Supply Chain Attack: Breaking Down Impact & Scope Across Debug, Chalk, and Beyond - Wiz","type":"research","url":"https://www.wiz.io/blog/widespread-npm-supply-chain-attack-breaking-down-impact-scope-across-debug-chalk"},{"credibility":2,"name":"20 Popular npm Packages With 2 Billion Weekly Downloads Compromised - The Hacker News","type":"news_article","url":"https://thehackernews.com/2025/09/20-popular-npm-packages-with-2-billion.html"}]},{"content":"Attackers registered the domain npmjs.help on September 5, 2025, three days before the attack. On September 8, 2025 at approximately 13:00 UTC, they sent a phishing email to the chalk maintainer impersonating npm security personnel. The email created false urgency by claiming the recipient's account would be locked due to a 2FA compliance requirement within 48 hours (by September 10, 2025). The phishing portal hosted a pixel-perfect replica of the npmjs.com website. When the maintainer entered credentials, the site executed an Adversary-in-the-Middle (AiTM) attack that harvested the username, password, and live time-based one-time password (TOTP) 2FA token in real time, then relayed the credentials to the legitimate npm platform to complete authentication. This technique bypassed standard TOTP-based 2FA entirely, as the attacker reused the captured token within its validity window. The attacker's infrastructure used IP address 185.7.81.108, with malicious content delivery through b-cdn.net subdomains (static-mw-host.b-cdn.net and img-data-backup.b-cdn.net) and a WebSocket command-and-control endpoint at websocket-api2.publicvm.com.","heading":"Attack Vector: Phishing and Adversary-in-the-Middle","severity":"critical","sources":[{"credibility":2,"name":"16 Minutes to Impact: npm Supply Chain Abuse Deploys crypto-draining malware - Sygnia","type":"research","url":"https://www.sygnia.co/threat-reports-and-advisories/npm-supply-chain-attack-september-2025/"},{"credibility":2,"name":"DuckDB npm Account Compromised in Continuing Supply Chain Attack - Socket","type":"research","url":"https://socket.dev/blog/duckdb-npm-account-compromised-in-continuing-supply-chain-attack"},{"credibility":2,"name":"Critical npm Supply Chain Attack Response - September 8, 2025 - Vercel","type":"official","url":"https://vercel.com/blog/critical-npm-supply-chain-attack-response-september-8-2025"}]},{"content":"The first wave of compromise, attributed to the Qix account takeover on September 8, 2025, affected 18 npm packages: chalk (~300M weekly downloads), debug (~357M), ansi-styles (~371M), supports-color (~287M), strip-ansi (~261M), ansi-regex, wrap-ansi, color-convert, color-name, color-string, is-arrayish, slice-ansi, simple-swizzle, has-ansi, chalk-template, supports-hyperlinks, error-ex, and backslash. A second wave began on September 9, 2025 when the duckdb_admin npm account was compromised through the same phishing infrastructure, resulting in malicious versions of duckdb (~149K weekly downloads), @duckdb/duckdb-wasm (~65K), @duckdb/node-api (~83K), and @duckdb/node-bindings (~72K). Additional packages affected in the second wave included prebid, prebid-universal-creative, @coveops/abi, and proto-tinker-wc. The combined first and second wave packages exceeded 2.6 billion weekly downloads, though actual install exposure during the attack window was substantially smaller given the short availability period.","heading":"Affected Packages","severity":"critical","sources":[{"credibility":2,"name":"Breakdown: Widespread npm Supply Chain Attack - Palo Alto Networks","type":"research","url":"https://www.paloaltonetworks.com/blog/cloud-security/npm-supply-chain-attack/"},{"credibility":2,"name":"Chalk And 17 Other NPM Packages Compromised In Supply-Chain Attack - Checkmarx","type":"research","url":"https://checkmarx.com/zero-post/chalk-and-17-other-npm-packages-compromised-in-supply-chain-attack/"},{"credibility":2,"name":"DuckDB npm Account Compromised in Continuing Supply Chain Attack - Socket","type":"research","url":"https://socket.dev/blog/duckdb-npm-account-compromised-in-continuing-supply-chain-attack"},{"credibility":2,"name":"20 Popular npm Packages With 2 Billion Weekly Downloads Compromised - The Hacker News","type":"news_article","url":"https://thehackernews.com/2025/09/20-popular-npm-packages-with-2-billion.html"}]},{"content":"The injected code operated exclusively in browser environments, employing environment detection to avoid execution in Node.js server-side contexts (build pipelines that ran in pure Node.js environments triggered a 'ReferenceError: fetch is not defined' error, which inadvertently served as an early detection signal). In the browser, the payload hooked into standard web APIs including fetch(), XMLHttpRequest, window.ethereum.request (the EIP-1193 wallet interface), and Solana wallet signing methods. When cryptocurrency transactions were initiated, the malware intercepted the request payload, identified wallet addresses using pattern matching, and substituted the destination address with an attacker-controlled address using a Levenshtein nearest-match algorithm to generate visually similar replacement addresses that would not trigger obvious suspicion in confirmation dialogs. Targeted blockchain networks included Ethereum, Bitcoin (legacy and SegWit), Solana, TRON, Litecoin, and Bitcoin Cash. The payload was heavily obfuscated with code beginning with the pattern 'const 0x112fa8=0x180f;(function(_0x13c8b9,_0x35f660){...'. Checkmarx identified hardcoded Ethereum function selectors (0x095ea7b3, 0xd505accf, 0xa9059cbb, 0x23b872dd), global variable names stealthProxyControl, runmask, and newdlocal, and a Solana attacker public key of 19111111111111111111111111111111. The known attacker Ethereum wallet was 0xFc4a4858bafef54D1b1d7697bfb5c52F4c166976.","heading":"Malicious Payload: Browser Cryptostealer","severity":"critical","sources":[{"credibility":2,"name":"16 Minutes to Impact: npm Supply Chain Abuse Deploys crypto-draining malware - Sygnia","type":"research","url":"https://www.sygnia.co/threat-reports-and-advisories/npm-supply-chain-attack-september-2025/"},{"credibility":2,"name":"Chalk And 17 Other NPM Packages Compromised In Supply-Chain Attack - Checkmarx","type":"research","url":"https://checkmarx.com/zero-post/chalk-and-17-other-npm-packages-compromised-in-supply-chain-attack/"},{"credibility":2,"name":"Security Alert: chalk, debug and color on npm compromised - Semgrep","type":"research","url":"https://semgrep.dev/blog/2025/chalk-debug-and-color-on-npm-compromised-in-new-supply-chain-attack/"}]},{"content":"Despite the extraordinary download exposure of the compromised packages, actual cryptocurrency theft was minimal. Post-incident analysis of attacker-controlled wallets revealed approximately $600 USD in total assets across all chains: roughly $429 in Ethereum, approximately $46 in Solana, with negligible amounts on other networks. Security researchers attributed the low theft yield to a combination of factors: the short availability window before community detection (approximately 7 hours for full containment, with the most popular packages removed earlier), the requirement for browser execution meaning server-only deployments were unaffected, and the relatively small number of end-user cryptocurrency transactions that happened to occur through browser applications depending on these specific packages during the attack window. The Wiz research team estimated approximately 10% of cloud environments had the malicious code reach them, though most cloud workloads process these packages server-side where the payload did not execute.","heading":"Financial Impact and Actual Theft","severity":"high","sources":[{"credibility":2,"name":"DuckDB npm Account Compromised in Continuing Supply Chain Attack - Socket","type":"research","url":"https://socket.dev/blog/duckdb-npm-account-compromised-in-continuing-supply-chain-attack"},{"credibility":2,"name":"Widespread npm Supply Chain Attack - Wiz","type":"research","url":"https://www.wiz.io/blog/widespread-npm-supply-chain-attack-breaking-down-impact-scope-across-debug-chalk"},{"credibility":2,"name":"20 Popular npm Packages With 2 Billion Weekly Downloads Compromised - The Hacker News","type":"news_article","url":"https://thehackernews.com/2025/09/20-popular-npm-packages-with-2-billion.html"}]},{"content":"Detection began at approximately 14:16 UTC on September 8, 2025 when a community member raised suspicions on the Bluesky social network. A user identified as 'informatic' independently noticed the malicious versions on npm were not present in the corresponding GitHub repository. Aikido Security has been credited for early detection and alerting. By 15:15 UTC, maintainer Josh Junon publicly acknowledged the breach. At 17:17 UTC, npm confirmed the breach and initiated a formal takedown. By 19:59 UTC, all impacted first-wave package versions had been removed from the npm registry — approximately 7 hours after the initial compromise. Vercel activated its incident response at 17:39 UTC, identified 70 Vercel teams with builds containing compromised package versions across 76 unique projects, purged all affected build caches by 22:19 UTC, and notified affected customers with remediation guidance. The secondary DuckDB wave on September 9 was identified and removed more rapidly due to heightened community vigilance. Semgrep released open-source detection rules to help organizations identify compromised versions in their dependency trees.","heading":"Detection and Containment","severity":"high","sources":[{"credibility":2,"name":"16 Minutes to Impact: npm Supply Chain Abuse Deploys crypto-draining malware - Sygnia","type":"research","url":"https://www.sygnia.co/threat-reports-and-advisories/npm-supply-chain-attack-september-2025/"},{"credibility":2,"name":"Critical npm Supply Chain Attack Response - September 8, 2025 - Vercel","type":"official","url":"https://vercel.com/blog/critical-npm-supply-chain-attack-response-september-8-2025"},{"credibility":2,"name":"Security Alert: chalk, debug and color on npm compromised - Semgrep","type":"research","url":"https://semgrep.dev/blog/2025/chalk-debug-and-color-on-npm-compromised-in-new-supply-chain-attack/"}]},{"content":"No specific threat actor or group has been publicly attributed to this attack as of the available reporting. Investigators confirmed the attack used the phishing domain npmjs.help (registered September 5, 2025), attacker IP 185.7.81.108, content delivery infrastructure on b-cdn.net subdomains, and a WebSocket C2 server at websocket-api2.publicvm.com. The same malware payload and infrastructure were used in both the Qix account compromise on September 8 and the duckdb_admin compromise on September 9, confirming a single coordinated campaign targeting multiple prominent npm maintainers. The DuckDB team confirmed they received the same phishing email. No law enforcement arrests or charges have been publicly reported in connection with this incident.","heading":"Attribution and Threat Actor","severity":"high","sources":[{"credibility":2,"name":"16 Minutes to Impact: npm Supply Chain Abuse Deploys crypto-draining malware - Sygnia","type":"research","url":"https://www.sygnia.co/threat-reports-and-advisories/npm-supply-chain-attack-september-2025/"},{"credibility":2,"name":"DuckDB npm Account Compromised in Continuing Supply Chain Attack - Socket","type":"research","url":"https://socket.dev/blog/duckdb-npm-account-compromised-in-continuing-supply-chain-attack"}]},{"content":"Security researchers from multiple firms characterized this event as the largest npm supply chain attack in history by download exposure. Wiz reported that 99% of surveyed cloud environments had at least one of the targeted packages installed prior to the attack, underscoring the ubiquity of foundational JavaScript utility libraries as an attack surface. The attack highlighted systemic weaknesses in open-source package management: single maintainer accounts with publish rights over billions of weekly downloads, the inadequacy of TOTP-based 2FA against AiTM phishing, and the lack of mandatory cryptographic signing for npm package releases. The NetRise analysis compared the incident's potential severity to the Log4Shell vulnerability, noting containment was fast but the attack surface — single-maintainer accounts for critical infrastructure — remains structurally unchanged. Vercel's response documented the cascading dependency risk, where 76 downstream projects on their platform were affected despite none of them directly depending on the 18 compromised packages at the top level.","heading":"Industry Impact and Systemic Risk","severity":"high","sources":[{"credibility":2,"name":"The NPM Supply Chain Attack Was No Log4j, But It Could Have Been - NetRise","type":"research","url":"https://www.netrise.io/xiot-security-blog/the-npm-supply-chain-attack-was-no-log4j-but-it-could-have-been"},{"credibility":2,"name":"Widespread npm Supply Chain Attack - Wiz","type":"research","url":"https://www.wiz.io/blog/widespread-npm-supply-chain-attack-breaking-down-impact-scope-across-debug-chalk"},{"credibility":2,"name":"Critical npm Supply Chain Attack Response - September 8, 2025 - Vercel","type":"official","url":"https://vercel.com/blog/critical-npm-supply-chain-attack-response-september-8-2025"}]},{"content":"Organizations that ran npm installs or CI/CD builds between approximately 13:00 UTC and 20:00 UTC on September 8, 2025 and between approximately 01:00 UTC and later on September 9, 2025 should audit their dependency lockfiles and build artifacts for the malicious versions. Recommended actions include: updating all affected packages to versions published after September 8, 2025 (verifiable clean versions exist on GitHub); auditing build cache contents and purging any caches that may contain compromised artifacts; reviewing browser-side JavaScript bundles built during the exposure window for the presence of obfuscated payload code; inspecting outbound network logs for connections to 185.7.81.108, b-cdn.net subdomains, or publicvm.com; and monitoring attacker Ethereum wallet 0xFc4a4858bafef54D1b1d7697bfb5c52F4c166976 for any outbound transactions that may indicate successful theft. Semgrep released detection rules for identifying compromised versions. For long-term mitigation, security teams recommend migrating from TOTP to hardware security keys (FIDO2/WebAuthn) for accounts with npm publish rights, enabling npm package provenance and signature verification where available, and implementing SBOM tooling to detect transitive dependency compromises.","heading":"Remediation Guidance","severity":"medium","sources":[{"credibility":2,"name":"Security Alert: chalk, debug and color on npm compromised - Semgrep","type":"research","url":"https://semgrep.dev/blog/2025/chalk-debug-and-color-on-npm-compromised-in-new-supply-chain-attack/"},{"credibility":2,"name":"Breakdown: Widespread npm Supply Chain Attack - Palo Alto Networks","type":"research","url":"https://www.paloaltonetworks.com/blog/cloud-security/npm-supply-chain-attack/"},{"credibility":2,"name":"Critical npm Supply Chain Attack Response - September 8, 2025 - Vercel","type":"official","url":"https://vercel.com/blog/critical-npm-supply-chain-attack-response-september-8-2025"}]}],"sources_used":[{"credibility":2,"name":"16 Minutes to Impact: npm Supply Chain Abuse Deploys crypto-draining malware - Sygnia","type":"research","url":"https://www.sygnia.co/threat-reports-and-advisories/npm-supply-chain-attack-september-2025/"},{"credibility":2,"name":"Widespread npm Supply Chain Attack: Breaking Down Impact & Scope Across Debug, Chalk, and Beyond - Wiz","type":"research","url":"https://www.wiz.io/blog/widespread-npm-supply-chain-attack-breaking-down-impact-scope-across-debug-chalk"},{"credibility":2,"name":"Critical npm Supply Chain Attack Response - September 8, 2025 - Vercel","type":"official","url":"https://vercel.com/blog/critical-npm-supply-chain-attack-response-september-8-2025"},{"credibility":2,"name":"Security Alert: chalk, debug and color on npm compromised in new supply chain attack - Semgrep","type":"research","url":"https://semgrep.dev/blog/2025/chalk-debug-and-color-on-npm-compromised-in-new-supply-chain-attack/"},{"credibility":2,"name":"npm Supply Chain Attack: Massive Compromise of debug, chalk, and 16 Other Packages - Upwind","type":"research","url":"https://www.upwind.io/feed/npm-supply-chain-attack-massive-compromise-of-debug-chalk-and-16-other-packages"},{"credibility":2,"name":"DuckDB npm Account Compromised in Continuing Supply Chain Attack - Socket","type":"research","url":"https://socket.dev/blog/duckdb-npm-account-compromised-in-continuing-supply-chain-attack"},{"credibility":2,"name":"Chalk And 17 Other NPM Packages Compromised In Supply-Chain Attack - Checkmarx","type":"research","url":"https://checkmarx.com/zero-post/chalk-and-17-other-npm-packages-compromised-in-supply-chain-attack/"},{"credibility":2,"name":"Breakdown: Widespread npm Supply Chain Attack Puts Billions of Weekly Downloads at Risk - Palo Alto Networks","type":"research","url":"https://www.paloaltonetworks.com/blog/cloud-security/npm-supply-chain-attack/"},{"credibility":2,"name":"20 Popular npm Packages With 2 Billion Weekly Downloads Compromised in Supply Chain Attack - The Hacker News","type":"news_article","url":"https://thehackernews.com/2025/09/20-popular-npm-packages-with-2-billion.html"},{"credibility":2,"name":"The NPM Supply Chain Attack Was No Log4j, But It Could Have Been - NetRise","type":"research","url":"https://www.netrise.io/xiot-security-blog/the-npm-supply-chain-attack-was-no-log4j-but-it-could-have-been"},{"credibility":1,"name":"DuckDB npm packages 1.3.3 and 1.29.2 compromised with malware - GitHub Security Advisory","type":"official","url":"https://github.com/duckdb/duckdb-node/security/advisories/GHSA-w62p-hx95-gf2c"}],"summary":"On September 8, 2025, attackers compromised the npm account of open-source maintainer Josh Junon (alias 'qix') through a phishing campaign using the spoofed domain npmjs.help, then published malicious versions of 18 foundational JavaScript packages — including chalk (~300M weekly downloads) and debug (~357M) — that collectively exceeded 2 billion weekly downloads. The injected payload functioned as a browser-side wallet-draining cryptostealer, silently intercepting and rewriting cryptocurrency transaction destinations before signing. The malicious versions were available for approximately 7 hours before full removal; a second wave on September 9 targeted DuckDB npm accounts through the same phishing infrastructure.","timeline":[{"date":"2025-09-05","event":"Attackers register phishing domain npmjs.help, designed as a pixel-perfect replica of the npmjs.com website.","source":"Sygnia Threat Report","source_url":"https://www.sygnia.co/threat-reports-and-advisories/npm-supply-chain-attack-september-2025/"},{"date":"2025-09-08","event":"13:00 UTC: Phishing email sent to chalk maintainer Josh Junon (qix) impersonating npm security personnel, claiming a 2FA compliance requirement with a 48-hour lockout deadline.","source":"Sygnia Threat Report","source_url":"https://www.sygnia.co/threat-reports-and-advisories/npm-supply-chain-attack-september-2025/"},{"date":"2025-09-08","event":"13:16 UTC: First malicious package version published to npm, approximately 16 minutes after the AiTM phishing attack captured the maintainer's credentials and live 2FA token.","source":"Sygnia Threat Report","source_url":"https://www.sygnia.co/threat-reports-and-advisories/npm-supply-chain-attack-september-2025/"},{"date":"2025-09-08","event":"Attacker publishes malicious versions of 18 npm packages including chalk, debug, ansi-styles, supports-color, strip-ansi, and 13 other foundational JavaScript utilities, injecting a browser-side cryptocurrency wallet-draining payload.","source":"The Hacker News","source_url":"https://thehackernews.com/2025/09/20-popular-npm-packages-with-2-billion.html"},{"date":"2025-09-08","event":"14:16 UTC: Community member raises suspicions on Bluesky; user 'informatic' identifies that malicious npm versions are absent from the GitHub repository. Aikido Security credited for early detection.","source":"Sygnia Threat Report","source_url":"https://www.sygnia.co/threat-reports-and-advisories/npm-supply-chain-attack-september-2025/"},{"date":"2025-09-08","event":"15:15 UTC: Maintainer Josh Junon publicly acknowledges the account breach.","source":"Sygnia Threat Report","source_url":"https://www.sygnia.co/threat-reports-and-advisories/npm-supply-chain-attack-september-2025/"},{"date":"2025-09-08","event":"17:17 UTC: npm confirms the breach and initiates formal takedown of malicious package versions.","source":"Sygnia Threat Report","source_url":"https://www.sygnia.co/threat-reports-and-advisories/npm-supply-chain-attack-september-2025/"},{"date":"2025-09-08","event":"17:39 UTC: Vercel activates incident response, identifies 70 Vercel teams with builds containing compromised package versions across 76 unique projects.","source":"Vercel Blog","source_url":"https://vercel.com/blog/critical-npm-supply-chain-attack-response-september-8-2025"},{"date":"2025-09-08","event":"19:59 UTC: All impacted first-wave package versions removed from npm registry, approximately 7 hours after initial account compromise.","source":"Sygnia Threat Report","source_url":"https://www.sygnia.co/threat-reports-and-advisories/npm-supply-chain-attack-september-2025/"},{"date":"2025-09-08","event":"22:19 UTC: Vercel completes purge of build caches for all 76 affected projects and issues customer notifications.","source":"Vercel Blog","source_url":"https://vercel.com/blog/critical-npm-supply-chain-attack-response-september-8-2025"},{"date":"2025-09-09","event":"~01:11-01:13 UTC: Second wave begins. The duckdb_admin npm account is compromised via the same npmjs.help phishing infrastructure. Malicious versions of duckdb (1.3.3), @duckdb/duckdb-wasm (1.29.2), @duckdb/node-api (1.3.3), and @duckdb/node-bindings (1.3.3) published, containing identical wallet-drainer malware. Prebid and @coveops/abi also affected.","source":"Socket.dev","source_url":"https://socket.dev/blog/duckdb-npm-account-compromised-in-continuing-supply-chain-attack"},{"date":"2025-09-09","event":"DuckDB maintainers confirm compromise via the same phishing email used in the September 8 attack. GitHub security advisory GHSA-w62p-hx95-gf2c published for affected DuckDB packages.","source":"DuckDB GitHub Security Advisory","source_url":"https://github.com/duckdb/duckdb-node/security/advisories/GHSA-w62p-hx95-gf2c"}]},"v":1}
    Verify offline (run on your own machine)
    python -m src.verify_decision 6bcf3095-a86c-4cfb-b9f0-bbc1e2d8bfd8
How verification works. The “Row integrity” check above is computed in your browser — your machine recomputes the SHA-256 of the canonical bytes and compares against the stored hash. No avoid.net server can fake that check. The “full verify” link goes one level deeper: your browser fetches the on-chain transaction from a Solana RPC node and confirms the same hash is in the memo. If you don’t want to trust either avoid.net or the public RPC, run the CLI verifier on your own machine — python -m src.verify_decision <event_id>.