NextFin news, Hackers compromised 18 popular JavaScript packages hosted on the npm repository on Monday, September 8, 2025, in what is considered one of the largest supply-chain attacks ever. The attack affected packages collectively downloaded more than 2 billion times weekly worldwide, threatening the global JavaScript ecosystem.
The incident originated when the npm account of Josh Junon, a maintainer of the affected packages, was compromised through a phishing email. The email, sent from a spoofed domain mimicking npm, tricked Junon into providing his login credentials and two-factor authentication token. This allowed attackers to gain control of his account and push malicious updates to the packages.
The malicious code injected by the attackers was designed to silently intercept cryptocurrency transactions in users' browsers. It manipulated wallet interactions by replacing legitimate wallet addresses with attacker-controlled addresses, redirecting payments without users' knowledge. The code contained over 280 lines and operated by monitoring infected systems for cryptocurrency activity.
The compromised packages included foundational JavaScript libraries that are widely used both directly and as dependencies by thousands of other packages and applications. Security researchers from firms such as Socket and Aikido highlighted the broad impact, noting the attack's targeted nature aimed at maximizing reach across the ecosystem.
Junon publicly acknowledged the compromise on social media and HackerNews, stating he had been "pwned" and apologized to the community. He began efforts to clean up the affected packages immediately after the attack was discovered.
Security experts emphasized that the phishing attack exploited weaknesses in two-factor authentication methods that are vulnerable to interception. They called for npm and similar repositories to adopt more secure, phishing-resistant authentication methods such as hardware security keys.
The npm repository disabled the malicious package versions promptly to contain the attack. However, experts warned that frontend applications relying on cached or unpatched versions might still be at risk.
The attack also triggered responses from the cryptocurrency community, particularly within the Solana ecosystem. Several Solana-based protocols and wallets, including Drift Protocol, Solflare Wallet, Kamino Finance, Marinade Finance, and Jupiter Exchange, confirmed they were not affected by the compromised packages but urged users to remain vigilant.
Researchers noted that while this attack focused on cryptocurrency theft, similar supply-chain compromises could be used to deploy more destructive malware. The incident underscores the fragility of open-source software supply chains and the critical need for enhanced security measures in widely used code repositories.
Sources: Ars Technica, Krebs on Security, SiliconANGLE, NullTX (all reporting on September 8-9, 2025).
Explore more exclusive insights at nextfin.ai.