npm Supply Chain Attack: What Happened and How to Protect Your Software

A New Supply Chain Attack in the npm Ecosystem

On September 8, 2025, a large-scale npm supply chain attack quickly compromised 18 popular packages (with the 18 packages representing more than 2.6 billion weekly downloads within the bioinformatics ecosystem).

Attackers hijacked a maintainer’s account by impersonating npm support in a phishing campaign to upload backdoored versions of popular packages like chalk, debug, ansi-styles, and supports-color.

Recommended: What Is Software Supply Chain Security? Comprehensive Guide

The attack vectors were crypto wallet transactions in ETH, BTC, SOL, LTC, and BCH. The malicious code monkey-patched fetch and XMLHttpRequest, and silently replaced the destination address of payments, which often leads to malicious wallets.

npm was able to remove the compromised versions in 2.5 hours; however, projects that were installed or required packages within that time range may have sent malicious code to end users.

Summary of the Attack

• Initial Access: A PDM phishing email, from support@npmjs[.]help, with a push for two-factor authentication.
• Payload: Malicious JavaScript was injected into the index.js files of several open-source packages.
• Execution Surface: All client-side (browser) applications that bundle the malicious npm libraries.
• Goals: To intercept and redirect crypto transactions.
• Timing: September 8, 2025 – 18:30 to 21:00 IST (around two-and-a-half hours).

Recommended: GitHub Supply Chain Attack: CVE-2025-30066 and CVE-2025-30154 Expose Secrets Across 218 Repositories

Stellar Development Foundation’s Response

The Stellar Development Foundation (SDF) issued a very prompt response indicating that its projects were unaffected.

SDF’s Steps:

• They conducted manual and automated audits of dependencies across all of their GitHub projects.
• They pinned npm packages to the last known-safe version.
• They advised developers to audit their local builders and pipelines for any exposure.

They clarified that the malware did not target Stellar Wallets but impacted primarily ETH, BTC, and other ecosystems.

Recommended: Salesloft Drift Supply Chain Attack Hits Palo Alto Networks and Zscaler

What Developers Should Do Now?

Even if your projects were not hit directly, this incident is a reminder for every organization to publicly cite and disclose any dependence on open-source.

Immediate Actions:

• Audit your dependencies using npm audit, SCA scanners, or third-party services.
• Pin dependencies in package.json, or use lockfiles (package-lock.json, yarn.lock).
• Investigate any usage of npm install in your build pipelines during the attack and redeploy an application with a safe version.

Recommended: Software Supply Chain Attacks: Notable Examples and Prevention Strategies

Precautions to Prevent Future Supply Chain Attacks

Organizations can take a layered approach to secure their software ecosystem:

• Utilizing SBOM (Software Bill of Materials): Maintain a detailed catalog of all dependencies so that you can identify malicious or outdated dependencies in several ways, and as needed.
• Using Code Signing Certificates: Signing your software using a trusted Code Signing Certificate before distributing it guarantees your software’s authenticity and integrity.
• Securing Private Keys on HSM: Store signing keys in Hardware Security Modules (HSM), and they will be safeguarded from being stolen or used improperly by an attacker.

Conclusion

Follow dependency pinning, SBOM practices, and use DigiCert Software Trust Manager, a secure code signing and software validation process — to help thwart future supply chain attacks.

Search