NPM - Multiple packages vulnerable

On Monday, September 8th, several popular NPM packages were updated. If your package.json looked something like:

"chalk": "^5.6.0"

…and you ran npm install, pnpm install or other javascript package manager, you may have installed the vulnerable packages.

It turns out these packages got linked to a supply chain attack, one of several in recent years. Sadly, this type of attack is becoming more frequent and more dangerous. A similar case hit headlines last June with the compromise of cdn.polyfill.io.

These vulnerability in the package were associated to a Supply Chain Attack to several of npm packages. Unfortunately this type of attack is being quite common and very dangerous, a similar example happened just last year in June with the famous cdn polyfill [dot] io.

The list of vulnerable package follows:

🔒 How the Attack Unfolded

The attack began with a phishing campaign targeting an NPM contributor:

• The attacker sent an email that appeared to be from NPM, urging the contributor to reset their password.
• The email linked to a reverse-proxy phishing site, which perfectly mirrored the real NPM login page.
• When the victim entered their credentials, the attacker stole both passwords and cookies, gaining access to the contributor’s NPM account.
• With that access, the attacker published malicious updates to multiple NPM packages.

⚠️ Tip: If you receive an email about resetting your password, don’t click the link. Instead, go directly to the official site (e.g., microsoft.com) and change it there.

Malware Summary

The malware is a browser-based crypto address hijacker that intercepts blockchain transactions and replaces legitimate recipient wallet addresses with attacker-controlled ones. It is designed to work across multiple cryptocurrency networks and targets users who connect their wallets via compromised websites.

The attack flows follow:

• Environment check: Verifies it’s running in a browser (typeof window !== 'undefined').
• Wallet detection: Looks for window.ethereum.
• API hooks: Installs fetch/XHR/wallet provider hooks.
• Waits for transaction: Intercepts outgoing requests.
• Regex scan: Finds recipient addresses in transaction payload.
• DEX check: Compares against known router addresses.
• Address swap: Replaces with attacker-controlled address.
• Forward & spoof: Sends modified transaction and returns fake success.

Am I Infected?

If you installed packages on September 8th, you should check immediately.

What to do:

1. Reinstall dependencies – Run npm install or pnpm install today. All affected packages have already been patched.

2. Run an audit:

   bash

   npm audit
   

3. Search for malware markers – In your node_modules, look for suspicious identifiers such as “0x112fa8”, name of the variable which contained the malware (obfuscated js).

   bash

   rg -uu --max-columns=80 --glob '*.js' _0x112fa8
   # or if you have just one project
   cd /your_project_path/node_modules
   grep -iR "0x112fa8"
   

Remediation Advice

If you suspect you may have been affected, take the following steps immediately:

1. Verify your package versions

   • Check which versions of dependencies are currently installed in your project.

2. Clear your NPM cache

   bash

   npm cache clean --force
   

3. Reinstall all dependencies

   • Remove your node_modules folder and reinstall everything from scratch:

     bash

     rm -rf node_modules
     npm install
     

4. Use a lockfile and pinned versions

   • Always commit and rely on package-lock.json or pnpm-lock.yaml.
   • Pin dependencies to exact versions to avoid unexpected updates.

Other Resources

Great resources to read more information:

Chalk issue - explaining the malware and Github discussion: https://github.com/chalk/chalk/issues/656

One of the first that identified the malware: https://www.aikido.dev/blog/npm-debug-and-chalk-packages-compromised

A very good breakdown of the malware: https://socket.dev/blog/npm-author-qix-compromised-in-major-supply-chain-attack