The Package Poisoner: How 2.5 Billion Weekly Downloads Were Compromised in npm's Largest Supply Chain Attack

Back

The Package Poisoner: How 2.5 Billion Weekly Downloads Were Compromised in npm's Largest Supply Chain Attack

Idan Dardikman

Yuval Ronen

September 8, 2025

On September 8, 2025, the npm ecosystem experienced one of its most severe supply chain attacks to date. Through a carefully orchestrated phishing campaign, an unknown attacker - dubbed "The Package Poisoner" - compromised 18 of npm's most popular packages, affecting a combined total of over 2.5 billion weekly downloads. The malicious code injected into these packages manipulated network traffic to intercept and redirect cryptocurrency transactions across multiple blockchain networks. Thanks to the alertness of a few sharp-eyed developers and rapid community response, what could have been a catastrophic incident was contained within hours. This is the story of how a simple phishing email nearly poisoned the entire JavaScript ecosystem, and how it was stopped.

The Phishing That Compromised Millions

Monday Morning, September 8, 2025

Josh Junon, maintainer of chalk, a package with 300 million weekly downloads, receives an email from support@npmjs.help. The message appears legitimate: npm is requesting all users update their Two-Factor Authentication credentials, warning that accounts with outdated 2FA will be temporarily locked starting September 10, 2025.

The email looks professional. The domain seems right at a glance. The request makes sense—security updates are routine. Josh clicks the "Update 2FA Now" link.

Later That Morning - Account Lockout

After completing what appeared to be a 2FA update process, Josh is logged out of his npm account. Attempts to log back in fail. Password reset emails never arrive. The horrible realization sets in: the account has been compromised.

Afternoon - The Anonymous Tip

Security researcher Derek Held gets a tip from an anonymous developer that some extremely popular packages on NPM started to act shady. He writes about it on his account in infosec.exchange to warn other developers. In parallel, researcher Charlie Eriksen also discovers the suspicious behavior and alerts Josh Junon that his account has been hacked.

At this point the word starts to get out. GitHub issues, Twitter DMs, frantic emails from developers worldwide: "Why did chalk just update?" "There's obfuscated code in version 5.6.1!" "Is chalk compromised?"

Josh watches helplessly as his package, trusted by millions, pushes malicious code across the ecosystem. He can't even access his own account to stop it, and it takes hours before he’s able to get help from NPM.

How The Package Poisoner Operated

The Phishing Infrastructure

The domain npmjs[.]help, that was used to launch the phishing campaign against the packages maintainers was purchased only a few days ago, on September 5, 2025. The domain imitates perfectly the official NPM website:

The impersonating site contained a fake login form that sent the victim’s data to websocket-api2.publicvm[.]com - a service that provides temporary virtual machines, and is often used by threat actors.

The Malware

The injected code targets both network traffic and application APIs. By hooking into critical browser functions like fetch, XMLHttpRequest, and wallet APIs (window.ethereum, Solana providers, etc.), it silently positions itself between the user and their crypto interactions.

From there, it performs three main actions:

Watches for wallet activity
- Detects when a crypto wallet (MetaMask, Solana, Tron, etc.) is in use.
- Monitors API calls and transaction payloads for anything resembling wallet addresses, approvals, or transfers.
Rewrites destinations
- Replaces legitimate crypto addresses in transactions with attacker-controlled ones.
- Supports multiple blockchains including Ethereum, Bitcoin, Solana, Litecoin, Tron, and Bitcoin Cash.
- Uses “lookalike” addresses via string similarity checks, making it harder for users to notice subtle swaps.

Regexes for cryptocurrencies wallets from the malicious code

3. Hijacks transactions before signing‍

Alters Ethereum transaction parameters such as recipients, approve and transferFrom calls, or DEX swap targets.
For Solana, replaces pubkeys and account references to silently redirect funds.
Even if the UI looks correct, the transaction being signed is already compromised.

Why It’s So Dangerous

Unlike traditional supply chain attacks that drop simple backdoors, this malware operates at multiple layers of the stack:

Browser level: intercepts API calls and network responses.
Wallet level: tampers with transactions just before signing.
User interface level: ensures the compromised transactions still look normal to victims.

The result? Users could believe they’re sending funds to a trusted address or approving a legitimate contract, when in reality, the funds are redirected to attacker-controlled wallets across multiple chains.

Final Thoughts

The Package Poisoner attack exposes an uncomfortable truth: the security of Fortune 500 companies, government agencies, and critical infrastructure rests on the shoulders of volunteer maintainers who face increasingly sophisticated attacks with minimal support. Josh Junon, like thousands of other maintainers, provides immense value to the ecosystem, chalk is downloaded 300 million times weekly and is a dependency in countless production systems. Yet he and others do this work in their spare time, often unpaid, without access to enterprise security teams or training that could help defend against professional cybercriminals.

This time the payload targeted cryptocurrency wallets, but the same attack vector could deliver ransomware, data stealers, or backdoors. NPM packages run with full user permissions - access to SSH keys, AWS credentials, source code, and production systems. We've built a house of cards where we expect volunteers to have the security expertise of nation-state defenders while giving them none of the resources. Until we address this systemic failure through proper funding, security infrastructure, and support for maintainers, we remain one phishing email away from disaster. The problem isn't the maintainers, it's the system that leaves them exposed.

Koi was built to solve this problem. Our platform gives practitioners and enterprises the ability to uncover, evaluate, and control what their teams bring in from ecosystems like NPM, Chrome Web Store, VS Code, Hugging Face, Homebrew, and beyond. Today, some of the world’s largest banks, Fortune 50 companies, and leading technology firms rely on Koi to automate the processes that bring visibility, establish governance, and proactively shrink this expanding attack surface.

If you want to see how it works — or if you’re ready to take action — book a demo or reach out to us.

We’ve got more to share soon, so stay tuned.