1. Articles
  2. Major NPM Supply Chain Attack Targets Popular Packages With 2 Billion Weekly Downloads

Major NPM Supply Chain Attack Targets Popular Packages With 2 Billion Weekly Downloads

Attackers compromised popular npm packages through phishing, exposing millions of projects to malicious code

 

What Happened?

Attackers recently carried out a significant software supply chain attack by compromising the account of Josh Junon, a maintainer known professionally as “qix”, who managed several widely used JavaScript packages such as chalk and debug-js. In total, 20 packages were affected. These packages are downloaded over two billion times each week.

The attackers deceived the maintainer with a phishing email that appeared to come from “support@npmjs.help”, a domain designed to look nearly identical to npmjs.com. The phishing page prompted the developer to enter a username, password, and two-factor authentication token. Using an adversary-in-the-middle approach, the attackers intercepted those credentials and gained control of the maintainer’s account. They then published new versions of trusted packages that contained malware.

The malicious code was designed to steal cryptocurrency. Although the breach was contained quickly, the attack highlighted the risks associated with dependencies that are widely used throughout the JavaScript ecosystem.

 

What Is a Software Supply Chain Attack and Why It Matters

A software supply chain attack occurs when attackers compromise a component or process used in the development or distribution of software. Malicious code is then passed on to end users through a trusted channel.

This type of attack is especially dangerous in open source ecosystems that rely on package managers like npm. Developers frequently import dependencies automatically without reviewing every detail. If a trusted package such as chalk is compromised, malware can quickly spread across thousands of applications and reach millions of end users.

The risk extends well beyond the immediate package. Any project that integrates the compromised dependency may also be impacted, creating a cascading effect across the entire ecosystem.

 

Attack Anatomy at a Glance

  1. Phishing Email
    Convincing email from a fake domain (“npmjs.help”) sent to the maintainer.

  2. Credential Theft
    Username, password, and 2FA token harvested through an adversary-in-the-middle site.

  3. Registry Abuse
    The attacker pushed malicious versions of widely trusted packages to the npm registry.

  4. Malware Spread
    Code capable of stealing cryptocurrency distributed through updated packages.

  5. Containment
    Incident identified and malicious versions removed. Safe versions remain available.

 

How IPQS Could Have Helped Prevent This

IPQS offers fraud prevention and threat detection tools that could have reduced the impact of this attack at multiple stages:

  • Phishing and Malicious Link Detection
    The Malicious URL Scanner API can evaluate suspicious links in emails or browser traffic. The phishing domain (“npmjs.help”)could have been flagged before the maintainer interacted with it.

  • Account Takeover and Suspicious Login Monitoring
    IPQS provides Account Takeover Detection that scores logins based on risk factors such as unusual IP addresses, use of proxies or VPNs, and bot-like activity. Anomalous login attempts could have triggered alerts or required additional verification.

  • Proxy and Bot Detection
    IPQS can block logins originating from known data center proxies, Tor, VPN services, and bots. These sources are frequently used in credential theft and account abuse scenarios.

  • Device Fingerprinting
    By identifying unique device characteristics, IPQS can detect when a login occurs from an unfamiliar or mismatched device. Sensitive actions such as publishing package updates could then require further authentication.

  • Email and Domain Reputation
    IPQS email and domain reputation services can highlight fraudulent domains. This could have identified “npmjs.help” as suspicious, helping to prevent the phishing attempt from succeeding.

 

Final Thoughts

This npm supply chain attack demonstrates how a single compromised maintainer account can affect millions of users. The incident reinforces the need for stronger monitoring and security controls in open source package ecosystems.

With tools for phishing detection, account takeover protection, proxy and bot identification, and domain reputation checks, IPQS provides multiple layers of defense. These measures could have reduced the likelihood of success for this attack and helped safeguard both maintainers and the countless projects that rely on their work.

 

Share this article

Related Articles

View All News & Articles
02 Feb 2019
The Best Payment, Fraud, & Ecommerce Conferences in 2019
The world of online business is ever-changing and fraudsters are keeping up with the times. Are you?...
11 Dec 2024
QR Code Brushing Scams: A New Security Threat
  Brushing scams are evolving with a new tactic that poses a serious risk to companies across ...
02 Jan 2019
Preventing Mobile CPI Fraud and Fake App Installs
Preventing Mobile CPI Fraud and Fake App Installs People are going mobile and advertisers are follow...
Call Us: (800) 713-2618

Ready to eliminate fraud?

Start fighting fraud now with 1,000 Free Lookups! We're happy to answer any questions or concerns. Chat with our fraud detection experts any day of the week.

Start Your Free Trial Schedule a Demo