{"id":54280,"date":"2025-09-09T03:30:31","date_gmt":"2025-09-09T07:30:31","guid":{"rendered":"https:\/\/www.kaspersky.com\/blog\/?p=54280"},"modified":"2025-09-10T04:24:07","modified_gmt":"2025-09-10T08:24:07","slug":"npm-packages-trojanized","status":"publish","type":"post","link":"https:\/\/www.kaspersky.com\/blog\/npm-packages-trojanized\/54280\/","title":{"rendered":"Popular npm packages compromised"},"content":{"rendered":"

Several popular npm packages used in a number of web projects have been compromised and trojanized<\/a> by unknown attackers. The attackers, through a phishing attack on maintainers, were able to gain access to at least one repository and injected the packages with malicious code used to hunt for cryptocurrency. Thus, all web applications that used trojanized versions of the packages were turned into cryptodrainers. And there can be quite a few of them \u2014 as the compromised packages had more than two billion downloads per day (according to Aikido Security<\/a>).<\/p>\n

What are the dangers of the trojanized packages used in this attack?<\/h2>\n

Obfuscated JavaScript was added to all affected packages. If the compromised package is used in a web application, the malicious code is activated on the devices that were used to access this application. Acting at the browser level, malware intercepts network traffic and API requests, and changes data associated with Ethereum, Bitcoin, Solana, Litecoin, Bitcoin Cash, and Tron cryptocurrency wallets. The malware spoofs their addresses and redirects transactions to the attackers\u2019 wallets.<\/p>\n

About three hours after the attack began, the npm administration started to remove the infected packages, but it\u2019s not known exactly how many times they were downloaded during this time.<\/p>\n

How the attackers managed to gain access to the repositories<\/h2>\n

The attackers used a rather banal technique \u2014 they created a phishing email in which maintainers were urged to update their two-factor authentication credentials at the first opportunity. Otherwise, they were threatened with account lockout starting September 10, 2025. The emails were sent from a mailbox on the domain npmjs[.]help<\/em>, similar to the legitimate npmjs.com<\/em>. The same domain also hosted a phishing site that mimicked the official npm registry page. Credentials entered on this site immediately fell into the hands of the attackers.<\/p>\n

The attack was successful against at least one maintainer<\/a>, compromising the npm packages color, debug, ansi-regex, chalk, and several others. However, the phishing attack appears to have been more extensive, because other maintainers and developers received similar phishing emails, so the full list of trojanized packages may be longer.<\/p>\n


\nLeonid Bezververenko, Senior Security Researcher with the Global Research & Analysis Team (GReAT) comments:<\/strong>\n

The attack on npm packages with billions of downloads per week clearly demonstrates the vulnerability of supply chains in the open-source ecosystem. While the malicious payload in this case was limited \u2014 the attackers only managed to steal tens of dollars \u2014 the situation could have been much more serious.<\/p>\n

Infected packages could have been used to compromise corporate servers, introduce backdoors into business process management systems, or steal sensitive data from customers and partners. In such a scenario, we could have seen a large-scale compromise similar to the XZ attack: companies that integrated malicious libraries into internal services or SaaS products could have passed the infection on to hundreds or thousands of corporate customers.<\/p>\n

As with XZ case, the key factor of this incident was not a technical vulnerability, but the human factor \u2014 a developer of popular npm packages fell victim to a phishing email. Experience shows that maintainers of widely used open-source software remain an attractive target for attackers, because compromising one project can jeopardize thousands of other systems.<\/p>\n

This \u201cdomino effect\u201d can turn a single mistake or instance of carelessness into an industry-wide problem.
\n<\/p><\/div>\n

Which packages were compromised?<\/h2>\n

At the time of writing this post, the following packages are known to be compromised:<\/p>\n