Skip to main content
See every side of every news story
Get Started
SubscribeLogin
Published loading...Updated

Software Packages with More than 2 Billion Weekly Downloads Hit in Supply-Chain Attack

Attackers compromised maintainer accounts to inject malware into 18 npm packages with over 2.6 billion weekly downloads, redirecting cryptocurrency transactions to attacker-controlled wallets.

  • Aikido Security detected on September 8, 2025, that attackers hijacked qix's account and pushed malicious updates to 18 npm packages, totaling more than 2.6 billion weekly downloads.
  • Attackers sent a convincing phishing email from support@npmjs.help, pressuring maintainers to refresh two-factor settings before September 10, 2025, researchers said this targeted social-engineering exploited trust.
  • Aikido's analysis found injected code modified index.js files as a browser-based interceptor, hijacking MetaMask and Phantom wallets; Charlie Eriksen said, `What makes it dangerous is that it operates at multiple layers.`
  • Developers were urged to roll back to known‑safe versions, audit recent updates, and monitor crypto transactions closely as some compromised packages like simple‑swizzle@0.2.3 remain available, though no confirmed theft occurred despite the crypto‑clipper malware.
  • This attack follows prior compromises earlier this year including eslint-config-prettier, and experts like SOCRadar CISO Ensar Seker urge stronger maintainer protections such as hardware authentication and SBOMs.
Insights by Ground AI
Does this summary seem wrong?

31 Articles

Ars TechnicaArs Technica
Center

Software packages with more than 2 billion weekly downloads hit in supply-chain attack

Hackers planted malicious code in open source software packages with more than 2 billion weekly updates in what is likely to be the world’s biggest supply-chain attack ever. The attack, which compromised nearly two dozen packages hosted on the npm repository, came to public notice on Monday in social media posts. Around the same time, Josh Junon, a maintainer or co-maintainer of the affected packages, said he had been “pwned” after falling for a…

·United States
Read Full Article
krebsonsecurity.comkrebsonsecurity.com
Center

18 Popular Code Packages Hacked, Rigged to Steal Crypto

Open the article to view the coverage from krebsonsecurity.com

Read Full Article
PC MagPC Mag
Lean Left

Hacker Pwns Programmer, Infects Widely Used Software With Malware

The malware was found in 18 npm packages that together are usually downloaded over 2 billion times per week. But the security community was quick to act.

·United States
Read Full Article
Coin DeskCoin Desk
Center

Ledger CTO Warns of NPM Supply-Chain Attack Hitting 1B+ Downloads

According to Guillemet, the malicious code — already pushed into packages with over 1 billion downloads — is designed to silently swap crypto wallet addresses in transactions. That means unsuspecting users could send funds directly to the attacker without realizing it.

·Manila, Philippines
Read Full Article
The RegisterThe Register
Center

Dev caught in phishing net, 18 npm packages compromised

: Popular npm packages debug, chalk, and others hijacked in massive supply chain attack

Read Full Article
BleepingComputerBleepingComputer
Center

Hackers hijack npm packages with 2 billion weekly downloads in supply chain attack

In a supply chain attack, attackers have injected malware into NPM packages with over 2.6 billion weekly downloads after compromising a maintainer's account in a phishing attack.

Read Full Article
Think freely.Subscribe and get full access to Ground NewsSubscriptions start at $9.99/yearSubscribe

Bias Distribution

  • 83% of the sources are Center
83% Center

Factuality 

To view factuality data please Upgrade to Premium

Ownership

To view ownership data please Upgrade to Vantage

BleepingComputer broke the news in on Monday, September 8, 2025.
Sources are mostly out of (0)

Similar News Topics

Software icon

Software

Technology icon

Technology

Cyber Security icon

Cyber Security

Cryptocurrency icon

Cryptocurrency

News
For You
SearchBlindspotLocal