Malicious javascript compromise on npmjs.com

These packages, about a billion downloads prior

supports-hyperlinks
chalk-template
simple-swizzle
slice-ansi
error-ex
is-arrayish
wrap-ansi
backslash
color-string
color-convert
color
color-name

Thread follows.

Example change and download stats on one of the 12 packages changed, incident started about 2 hours ago.

Example copy of one of the inserted JS: https://pastebin.com/bwLZrq02

Just reported to NPM, they work on it.

Derek's caught it too https://infosec.exchange/@derekheld/115169311485030806

It's a cryptocurrency wallet drainer, RIP a load of devops dudes crypto.

NPM on it, some packages nuked, more being nuked

If you want an idea of scale of trojan attempt - 'color' alone had 32m downloads in a week, the combined attempt was pushing a billion due to upstream dependencies.

Hunt tip: look for registry.npmjs.org in proxy logs, package names are in the URLs.

additional backdoored packages

ansi-styles
debug
chalk
supports-color
strip-ansi
ansi-regex
has-ansi

Weekly download stats for impacted packages prior to incident

ansi-styles (371.41m)
debug (357.6m)
backslash (0.26m)
chalk-template (3.9m)
supports-hyperlinks (19.2m)
has-ansi (12.1m)
simple-swizzle (26.26m)
color-string (27.48m)
error-ex (47.17m)
color-name (191.71m)
is-arrayish (73.8m)
slice-ansi (59.8m)
color-convert (193.5m)
wrap-ansi (197.99m)
ansi-regex (243.64m)
supports-color (287.1m)
strip-ansi (261.17m)
chalk (299.99m)

Total 2674m

Phishing email sent to maintainers, they basically targeted people with 2FA by getting them to.. reset their 2FA.

Developer confirms they fell for phishing email

It looks like others have too, found one other compromised repo from a different user, will have a dig tomorrow as bored of cyber tonight.

https://bsky.app/profile/bad-at-computer.bsky.social/post/3lydioq5swk2y