A new software supply chain attack is targeting a series of highly popular open-source NPM packages unleashing malware across 18 foundational JavaScript packages that collectively accounted for a staggering 2.6 billion weekly downloads. This incident highlights how a compromised open-source package can quickly reach production environments, emphasizing the importance of visibility, security controls, and proactive defenses across your software supply chain.
What Happened – The Breach Unfolds
1 – Attack Vector – Phishing
On September 5th, 2025 the attackers registered the domain npmjs[at]help, which is a domain lookalike of npmjs.com and meticulously crafted a phisihing email, that informed the maintainer that his account would be locked on September 10th, 2025 unless his two-factor authentication (2FA) was updated.
2 – Credential Exfiltration Mechanism
The threat actor’s phishing site included a login form that stole the maintainer’s credentials.
3 – Rapid Malware Deployment
The threat actor swiftly published tainted versions of 18 high-profile npm packages:
Compromised Package Malicious Version
| # | NPM Package Name | Version |
| 1 | ansi-regex | 6.2.1 |
| 2 | ansi-styles | 6.2.2 |
| 3 | backslash | 0.2.1 |
| 4 | chalk | 5.6.1 |
| 5 | chalk-template | 1.1.1 |
| 6 | color | 5.0.1 |
| 7 | color-convert | 3.1.1 |
| 8 | color-name | 2.0.1 |
| 9 | color-string | 2.1.1 |
| 10 | debug | 4.4.2 |
| 11 | has-ansi | 6.0.1 |
| 12 | is-arrayish | 0.3.3 |
| 13 | simple-swizzle | 0.2.3 |
| 14 | slice-ansi | 7.1.1 |
| 15 | strip-ansi | 7.1.1 |
| 16 | supports-color | 10.2.1 |
| 17 | supports-hyperlinks | 4.1.1 |
| 18 | wrap-ansi | 9.0.1 |
Collectively all these packages gather around 2.6 billion weekly downloads.
4 – Threat Actor’s goal
The attackers inserted malicious code to the 18 npm packages. The malicious injected code acted as a browser-based interceptor, specifically targeting cryptocurrency and Web3 activity – manipulating crypto wallet transactions by hijacking network requests and redirecting funds to attacker-controlled accounts.
5 – Detection and Mitigation
A security firm flagged the suspicious updates on September 8th, 2025 at about 13:16 UTC. They alerted the maintainer, who began remediating the packages by 15:15 UTC – less than two hours later. Several versions were swiftly removed from npm.
Why It Matters
- Scale & Reach
With billions of weekly downloads, such attack can reach deep into the software supply chain. The speed of propagation means that thousands of applications, including those running in cloud-native environments, may integrate the malicious code before detection. - Foundational Dependencies
The compromised packages are building blocks across the ecosystem. Even if your team don’t install them directly, chances are other dependencies can make the blast radius enormous. - An Unexpected Initial Access – Phishing
A single phishing email gave attackers the keys to the ecosystem. When threat modeling attacks against cloud native environments, phishing is seldom considered as an initial access to organisational environment. This shows how people, not just code, remain the weakest link in the supply chain and how phishing can propagate through to your production environments
How Aqua Can Help
Supply chain compromises like this npm hijack show how quickly malicious code can move from a package registry into production. Aqua’s cloud-native security platform provides three powerful capabilities that directly address this risk:
Software Bill of Materials (SBOM): Know What’s Inside Your Software
- Full Visibility: SBOMs list every dependency, direct and transitive, so you know exactly what’s in your images and workloads.
- Faster Response: When a package like
chalkis compromised, SBOMs let you instantly check if you’re affected. - Compliance Ready: SBOMs meet emerging regulatory requirements like the U.S. EO and EU’s CRA.
- Automated in CI/CD: Aqua generates SBOMs automatically during builds, ensuring continuous visibility across the pipeline.
In this npm attack, SBOMs would allow you to immediately identify whether your workloads contained the hijacked packages and act before production is impacted.
In the screenshot below you can see the software supply chain security policy allowing you to block specific packages and fail the build if your developers are using compromised packages.
Supply chain security policy set to block specific NPM packages
Aqua DTA (Dynamic Threat Analysis): Catching Malicious Packages Before They Run
- Behavioral Analysis at Scale: DTA detonates container images, functions, and artifacts in a secure sandbox to observe their behavior in real time.
- Uncover Hidden Payloads: Even if a package looks benign in code review, DTA can expose hidden behaviors like the crypto-stealing malware injected in npm packages.
- Automated in CI/CD: By embedding DTA into pipelines, organizations can prevent tainted dependencies from ever reaching registries, clusters, or cloud workloads.
- Fail the build and kill the chain: When malicious code infiltrates your pipeline, DTA can fail the build and kill the attack before it reaches critical environments.
If a compromised package like chalk were pulled into your image, Aqua DTA would detect the suspicious network calls and injected scripts long before deployment.
Runtime protection: Stop Attacks in Production
- Runtime Visibility: Aqua Runtime Protection continuously monitors containers, serverless functions, and Kubernetes clusters for abnormal activity, such as unexpected package downloads or crypto-related network connections.
- Threat Intelligence and Behavioral Detection: By combining Aqua’s research-backed intelligence with runtime anomaly detection, Aqua Runtime Protection can spot and block attacks that slip past build-time defenses.
- Rapid Incident Response: Security teams get contextual alerts tied to workloads, namespaces, and cloud environments, enabling faster triage and containment.
If the npm malware had reached a production pod, Aqua Runtime Protection could detect the outbound exfiltration attempts and stop the workload before data or credentials were compromised.
