npm Packages With 2 Billion Weekly Downloads Hacked in Major Attack

Aikido Security flagged the largest npm attack ever recorded, with 18 packages like chalk, debug, and ansi-styles hacked to hijack crypto wallets via injected code.

Aikido Security has flagged what could be the biggest npm supply chain compromise ever recorded. The account of a long-trusted maintainer known as qix was hijacked through a phishing email, and 18 popular packages were altered with malicious code. Those packages include chalk, debug, and ansi-styles, which together represent more than two billion weekly downloads.

The good news is that the timing of the detection was fast enough to limit damage. Aikido’s lead malware researcher, Charlie Eriksen, said the attack was identified within five minutes and disclosed within an hour.

What makes this incident especially serious is the purpose of the injected malware. Instead of targeting development environments or servers, the code is designed to interfere with cryptocurrency transactions in the browser.

According to ...