Malware Injected Into Code Packages That Get 2 Billion+ Downloads Each Week
Malware Injected Into Code Packages That Get 2 Billion+ Downloads Each Week
In a massive attack on the JavaScript ecosystem, unidentified hackers have compromised a series of npm (Node Package Manager) packages with malware meant to steal crypto from unsuspecting users. Collectively, these npm packages receive more than two billion downloads per week.
What is an npm package?
An npm package is a bundle of reusable code, generally JavaScript, that can be installed through the npm registry. Packages can include virtually anything, from simple utilities to complete frameworks.
In this particular case, a total of 18 npm packages were compromised with malicious code. Some of the most popular packages affected include the following:
- ansi-styles: 371.41 million weekly downloads
- debug: 357.6 million weekly downloads
- chalk: 299.99 million weekly downloads
- wrap-ansi: 197.99 million weekly downloads
- color-name: 191.71 million weekly downloads
The malicious code affects some less popular npm packages, too:
- has-ansi: 12.1 million weekly downloads
- chalk-template: 3.9 million weekly downloads
- backslash: 260,000 weekly downloads
While there were other packages affected besides the ones mentioned above, all of the compromised files have since been removed by the npm registry.
How were the packages compromised?
The hackers launched a traditional phishing campaign to gain access to the original npm packages. After managing to hijack the account of an npm package maintainer, the hackers then injected their malicious code into 18 different npm packages and uploaded the compromised versions.
In Aikido Security’s Sept. 8, 2025, blog, security researcher Charlie Erickson wrote: “The packages were updated to contain a piece of code that would be executed on the client of a website, which silently intercepts crypto and Web3 activity in the browser, manipulates wallet interactions, and rewrites payment destinations so that funds and approvals are redirected to attacker-controlled accounts without any obvious signs to the user.”
Once installed, the malicious code immediately attaches to the victim’s web browser and begins to monitor the network for sensitive data, such as crypto wallet addresses or transfers. It recognizes several different forms of cryptocurrency, including the following:
- Bitcoin
- Bitcoin Cash
- Litecoin
- Ethereum
- Solana
- Tron
Next, the malware overwrites the crypto’s legitimate destination address with one belonging to the hackers. The malicious code even covers its own tracks after it’s finished, remaining in the background to detect any future crypto transactions on the unsuspecting victim’s network.
A reminder for developers everywhere
For developers, the npm breach is a stark reminder that security doesn’t stop at your own codebase.
Software dependencies, even those that have been trusted for years, can become compromised in the blink of an eye. As such, practices like regular audits, dependency monitoring, and Zero Trust policies are essential safeguards in an increasingly interconnected world.
Cybercriminals are finding new, creative ways to leave their mark. Attackers recently exploited X’s Grok AI to spread malware via promoted ads, exposing millions to malicious links in a scheme researchers call “Grokking.”
About Author
