Hackers Compromise 18 NPM Packages in Supply Chain Attack

Attacker Socially Engineered Developer With Phishing Email Akshaya Asokan (asokan_akshaya) • September 9, 2025

A hacker laced 18 popular npm packages with cryptocurrency stealing malware after socially engineering the developer into giving up his credentials to the JavaScript runtime environment.

See Also: OnDemand | Transform API Security with Unmatched Discovery and Defense

Aikido Security said Monday the 18 software packages collectively have downloads of more than two billion each week. It noticed that day malicious code being pushed into the packages that intercepts crypto and web3 activity in the browser.

"Hi, yep I got pwned. Sorry everyone, very embarrassing," wrote developer John Junon. He received a phishing email from npmjs.help instructing him to update his second factor authentication. That domain - a typosquatting version of npmjs.com - was registered on Sept. 5. "Made the mistake of clicking the link instead of going directly to the site like I normally would ...