A massive NPM supply chain attack that hit about 10% of all cloud environments yielded little for the hackers who engineered the compromise.
That’s the conclusion of a pair of reports that looked at the compromise that hit popular NPM packages like ansi-styles, debug and chalk that are downloaded more than 2 billion times a week. Project maintainer Josh Junon – aka “qix” – said on GitHub that he was fooled by a “2FA reset email that looked shockingly authentic,” and DuckDB-related packages were also compromised in a separate attack.
Organizations that depend on the packages got lucky that the attackers were apparently only interested in cryptojacking, cybersecurity observers concluded.
“Imagine if they had done reverse shells instead, or automated lateral movement to ransomware deployment NotPetya style,” said security researcher Kevin Beaumont. “The thing that saved companies here was the threat actor was [an] incompetent crypto boy, nothing more.”
NPM Attack Shows ‘How Fast Malicious Code Can Propagate’
According to the Open Security Alliance, the attacks on packages published by “qix” netted only about $20, while Socket determined that the attack on DuckDB-related packages yielded about $600. Both attacks used the “exact same” wallet-drainer payload, according to Socket.
“These low totals suggest that while the campaign was highly disruptive, its financial impact has been limited so far,” Socket said.
The Security Alliance said it appears that “the biggest financial impact of this entire incident will be the collective thousands of hours spent by engineering and security teams around the world working to clean compromised environments.”
Wiz reported that at least one instance of the affected packages are present in 99% of cloud environments, and the malicious code quickly spread to at least 10% of cloud environments.
“From this we can conclude that during the short 2-hour timeframe in which the malicious versions were available on npm, the malicious code successfully reached 1 in 10 cloud environments,” Wiz said. “This serves to demonstrate how fast malicious code can propagate in supply chain attacks like this one.”
How the NPM Supply Chain Attack Happened
Junon said the phishing email came from support at npmjs[.]help, impersonating the official npmjs.com site. Other maintainers reported having received the same email, which threatened to lock accounts if two-factor authentication wasn’t updated. The phishing emails read:
“As part of our ongoing commitment to account security, we are requesting that all users update their Two-Factor Authentication (2FA) credentials,” the email said. “Our records indicate that it has been over 12 months since your last 2FA update.
“To maintain the security and integrity of your account, we kindly ask that you complete this update at your earliest convenience. Please note that accounts with outdated 2FA credentials will be temporarily locked starting September 10, 2025, to prevent unauthorized access.”
The compromised packages were then updated “to contain a piece of code that would be executed on the client of a website, which silently intercepts crypto and web3 activity in the browser, manipulates wallet interactions, and rewrites payment destinations so that funds and approvals are redirected to attacker-controlled accounts without any obvious signs to the user,” Aikido said.
The massive supply chain attack comes amid reports that supply chain attacks have doubled in recent months, as attackers have been able to successfully exploit IT vulnerabilities at massive scale. The NPM attacks used a much simpler – but well-crafted – phishing email to achieve mass exploitation.
