20+ Popular NPM Packages Compromised (Chalk, Debug, Strip-ANSI, Color-Convert, Wrap-ANSI...)

On September 8, 2025, a critical NPM supply chain attack compromised over 20 widely-used JavaScript packages including chalk, debug, strip-ansi, ansi-regex, color-convert, and wrap-ansi — collectively downloaded billions of times weekly. The attack began when maintainer Josh Junon fell victim to a sophisticated phishing email mimicking an NPM 2FA reset notification, allowing attackers to publish malicious versions containing cryptocurrency-stealing malware. The injected code detects Ethereum wallets, replaces cryptocurrency addresses across Bitcoin, ETH, Tron, Litecoin, and Solana, and hijacks network requests to redirect DeFi transactions on platforms like Uniswap and PancakeSwap. Recovery steps include checking for affected package versions, clearing npm cache, rotating secrets, and monitoring crypto wallets. Preventive measures discussed include npm package cooldown periods, CI/CD runtime monitoring via tools like StepSecurity Harden-Runner, and artifact provenance verification.