npm · 2025
chalk · debug takeover
The maintainer of chalk, debug and 16 other npm libraries had accounts compromised via targeted phishing on Sept 8 2025. Malicious versions were live on the registry for roughly two hours.
What happened
On September 8 2025, prolific npm maintainer Josh Junon ("qix") was
phished with a targeted lookalike domain that impersonated npm support.
Attackers used the captured 2FA session to publish malicious versions of
18 packages he maintained, including two of the most-installed libraries
on the registry: chalk (~300 million weekly downloads) and debug
(~358 million weekly downloads).
Detection came from the community within about two hours, at which point
Junon and npm coordinated a full revert. The malicious window was short
enough that no source has credibly quantified how many machines actually
pulled the tainted versions. What is quantifiable is reach. The 18
packages together move roughly 2.6 billion weekly downloads across the
ecosystem. Any developer, CI job, or Docker build that ran npm install
inside that window against a resolving version could have pulled malicious
code.
How it propagated
The malicious payload targeted crypto wallets and browser sessions. Clipboard
hijacking of Bitcoin and Ethereum addresses, and interception of window.ethereum
provider calls. It ran client-side once bundled into a dependent app, not on
the developer machine directly, which is why "victim count" is not
quantifiable the way a postinstall script would be.
What Drig sees
lang_pkg streams lockfile state, so the tainted versions surface by
resolved version + hash the moment retro-match runs. Because the exposure
window was short, most fleets will show zero exposed hosts, which is itself
useful evidence. Fleets with pinned or auto-resolving CI can be checked in
minutes.
Rotation checklist
- Query CI build logs for
chalk,debugand the 16 sibling packages during the 2-hour window. - Rebuild any resolved lockfile that pulled a flagged version.
- If a build shipped, force clients on the affected app to rotate wallet addresses displayed to end-users.
- Cycle any secrets that were readable to the malicious code paths in the bundled app.
The wider lesson: reach is the exposure metric for npm supply-chain incidents, not a victim number nobody can compute.