On September 8, 2025, attackers compromised a set of 18 widely used npm packages —including chalk, debug, ansi-styles, and strip-ansi—collectively downloaded over 2.6 billion times per week. Through a targeted phishing campaign against a maintainer, the attackers published malicious versions containing obfuscated JavaScript designed to intercept cryptocurrency transactions. Any organization pulling these versions into builds risked shipping tainted code into production environments. The Impact: Scale, Reach, and Stealth This incident highlights just how fragile the modern supply chain can be: Scale & reach: 2.6B weekly downloads meant thousands of downstream apps potentially bundled the malware. Foundational dependencies : The affected packages are utility libraries—often invisible, yet critical in front-end and back-end stacks. Stealthy payload : The injected code wrapped browser APIs, silently rewriting cryptocurrency wallet transactions before signing. Compromised Packages and Versions #| Package| Malicious Version —|—|— 1| ansi-regex| 6.2.1 2| ansi-styles| 6.2.2 3| backslash| 0.2.1 4| chalk| 5.6.1 5| chalk-template| 1.1.1 6| color| 5.0.1 7| color-convert| 3.1.1 8| color-name| 2.0.1 9| color-string| 2.1.1 10| debug| 4.4.2 11| has-ansi| 6.0.1 12| is-arrayish| 0.3.3 13| simple-swizzle| 0.2.3 14| slice-ansi| 7.1.1 15| strip-ansi| 7.1.1 16| supports-color| 10.2.1 17| supports-hyperlinks| 4.1.1 18| wrap-ansi| 9.0.1 What Security Teams Should Do Immediately Because…Read More