What Happened in the Billion-Download NPM Supply-Chain Attack of September 2025?

BitcoinWorld

What Happened in the Billion-Download NPM Supply-Chain Attack of September 2025?

As of September 9, 2025, the JavaScript ecosystem is responding to a major supply-chain attack that compromised the NPM account of the popular developer qix. This compromise led to the publication of malicious versions of dozens of widely-used packages, including chalk, strip-ansi, and color-convert. The combined weekly downloads of the affected packages exceed one billion, making this one of the most significant security incidents in open-source history.

• Initial Discovery: The attack was first detected through a cryptic build failure in a CI/CD pipeline, specifically a ReferenceError: fetch is not defined. This error occurred because the malware’s attempt to exfiltrate data via a fetch call failed in an older Node.js environment that lacked the global fetch function.
• Root Cause: The attacker gained control of the qix NPM account, allowing them to publish malicious patch versions of key libraries.
• Vast Impact: The compromised packages are fundamental building blocks of countless projects, often buried deep within dependency trees. Key affected packages and their approximate weekly downloads include:

• chalk: ~300 million
• strip-ansi: ~261 million
• color-convert: ~193 million
• color-name: ~191 million
• is-core-module: ~69 million
• error-ex: ~47 million
• simple-swizzle: ~26 million
• has-ansi: ~12 million

How Does the Crypto-Clipper Malware from the NPM Attack Steal Funds?

The malicious code, a sophisticated “crypto-clipper,” is designed to steal cryptocurrency by targeting user transactions and wallet interactions. It operates using a two-pronged strategy:

• Passive Address Swapping: The malware “monkey-patches” the browser’s native fetch and XMLHttpRequest functions to intercept all network traffic. It contains a list of attacker-owned wallet addresses for currencies like Bitcoin (BTC), Ethereum (ETH), Solana (SOL), Tron (TRX), Litecoin (LTC), and Bitcoin Cash (BCH). Using the Levenshtein distance algorithm, the script finds the attacker’s address that is typographically most similar to the user’s legitimate one, making the substitution difficult for the human eye to detect.

• Active Transaction Hijacking: If the malware detects a browser-based wallet like MetaMask by checking for window.ethereum, it hijacks the wallet’s communication methods (request, send). When a user initiates a transaction, the malware modifies the data in memory, replacing the legitimate recipient’s address with a hardcoded attacker’s address. The user then unknowingly signs a fraudulent transaction, redirecting their funds to the attacker.

Tracking the Attack: The transparency of blockchains allows for the monitoring of these fraudulent transactions. One of the primary Ethereum addresses used by the attacker is 0xFc4a4858bafef54D1b1d7697bfb5c52F4c166976. A complete list of compromised wallets is available in a public GitHub Gist.

What Immediate Steps Can Developers Take to Protect Their Projects?

While NPM and the open-source community are actively working to remediate the attack by removing malicious versions, compromised packages may still exist in project dependencies or lock files. To protect your projects, developers must take these immediate, critical steps:

• Audit Your Dependencies: Immediately check your project’s package-lock.json or yarn.lock file to identify any use of the affected packages.

• Pin to Safe Versions: Use the overrides feature in your package.json file to force npm to use known-safe versions of the compromised packages. This is crucial for fixing transitive dependencies.

• Example package.json configuration:

{
  "name": "your-project",
  "version": "1.0.0",
  "overrides": {
    "chalk": "5.3.0",
    "strip-ansi": "7.1.0",
    "color-convert": "2.0.1",
    "color-name": "1.1.4",
    "is-core-module": "2.13.1",
    "error-ex": "1.3.2",
    "has-ansi": "5.0.1"
  }
}

• Clean and Reinstall: After adding the overrides, delete your node_modules folder and package-lock.json file. Then, run npm install to generate a new, clean lock file with the pinned, safe versions. This ensures that no vulnerable code remains in your project’s environment.

How can a simple build error uncover a sophisticated supply-chain attack?

In this attack, a seemingly minor build error, a ReferenceError: fetch is not defined, was the first indicator of a deep-rooted problem. This error occurred because the malware’s data exfiltration attempt relied on a modern browser function that was not present in an older Node.js environment. The failure to execute its payload made the malicious code visible, highlighting how even a simple configuration mismatch or an outdated environment can inadvertently act as a tripwire for sophisticated, obfuscated attacks.

The qix NPM account attack serves as a stark reminder that the open-source ecosystem, despite its collaborative nature, is a major target for sophisticated cyber threats. The vulnerability exposed is not just a technical flaw but a systemic risk stemming from the trust placed in third-party dependencies. Organizations must move beyond basic security practices and adopt a proactive, vigilant stance that includes hardening CI/CD pipelines, implementing strict dependency management policies, and fostering a security-first culture. Failing to act now leaves projects exposed to similar threats that can compromise intellectual property, user data, and financial assets on a massive scale.

This post What Happened in the Billion-Download NPM Supply-Chain Attack of September 2025? first appeared on BitcoinWorld and is written by Keshav Aggarwal