Malicious javascript compromise on npmjs.com

These packages, about a billion downloads prior

supports-hyperlinks
chalk-template
simple-swizzle
slice-ansi
error-ex
is-arrayish
wrap-ansi
backslash
color-string
color-convert
color
color-name

Thread follows.

Example change and download stats on one of the 12 packages changed, incident started about 2 hours ago.

Example copy of one of the inserted JS: https://pastebin.com/bwLZrq02

Just reported to NPM, they work on it.

Derek's caught it too https://infosec.exchange/@derekheld/115169311485030806

It's a cryptocurrency wallet drainer, RIP a load of devops dudes crypto.

NPM on it, some packages nuked, more being nuked

If you want an idea of scale of trojan attempt - 'color' alone had 32m downloads in a week, the combined attempt was pushing a billion due to upstream dependencies.

Hunt tip: look for registry.npmjs.org in proxy logs, package names are in the URLs.

additional backdoored packages

ansi-styles
debug
chalk
supports-color
strip-ansi
ansi-regex
has-ansi

Weekly download stats for impacted packages prior to incident

ansi-styles (371.41m)
debug (357.6m)
backslash (0.26m)
chalk-template (3.9m)
supports-hyperlinks (19.2m)
has-ansi (12.1m)
simple-swizzle (26.26m)
color-string (27.48m)
error-ex (47.17m)
color-name (191.71m)
is-arrayish (73.8m)
slice-ansi (59.8m)
color-convert (193.5m)
wrap-ansi (197.99m)
ansi-regex (243.64m)
supports-color (287.1m)
strip-ansi (261.17m)
chalk (299.99m)

Total 2674m

Phishing email sent to maintainers, they basically targeted people with 2FA by getting them to.. reset their 2FA.