Skip to content
Now taking design partners.Roadmap →

npm · 2025

chalk · debug takeover

The maintainer of chalk, debug and 16 other npm libraries had accounts compromised via targeted phishing on Sept 8 2025. Malicious versions were live on the registry for roughly two hours.

Run this campaignScale: 18 packages, 2.6B weekly downloads reach

What happened

On September 8 2025, prolific npm maintainer Josh Junon ("qix") was phished with a targeted lookalike domain that impersonated npm support. Attackers used the captured 2FA session to publish malicious versions of 18 packages he maintained, including two of the most-installed libraries on the registry: chalk (~300 million weekly downloads) and debug (~358 million weekly downloads).

Detection came from the community within about two hours, at which point Junon and npm coordinated a full revert. The malicious window was short enough that no source has credibly quantified how many machines actually pulled the tainted versions. What is quantifiable is reach. The 18 packages together move roughly 2.6 billion weekly downloads across the ecosystem. Any developer, CI job, or Docker build that ran npm install inside that window against a resolving version could have pulled malicious code.

How it propagated

The malicious payload targeted crypto wallets and browser sessions. Clipboard hijacking of Bitcoin and Ethereum addresses, and interception of window.ethereum provider calls. It ran client-side once bundled into a dependent app, not on the developer machine directly, which is why "victim count" is not quantifiable the way a postinstall script would be.

What Drig sees

lang_pkg streams lockfile state, so the tainted versions surface by resolved version + hash the moment retro-match runs. Because the exposure window was short, most fleets will show zero exposed hosts, which is itself useful evidence. Fleets with pinned or auto-resolving CI can be checked in minutes.

Rotation checklist

  • Query CI build logs for chalk, debug and the 16 sibling packages during the 2-hour window.
  • Rebuild any resolved lockfile that pulled a flagged version.
  • If a build shipped, force clients on the affected app to rotate wallet addresses displayed to end-users.
  • Cycle any secrets that were readable to the malicious code paths in the bundled app.

The wider lesson: reach is the exposure metric for npm supply-chain incidents, not a victim number nobody can compute.