Josh Junon's npm account was compromised via a fake 2FA reset email, leading to backdoored versions of popular packages including 'color' (32M weekly downloads) and 'chalk'. The malicious payload appears designed to target crypto websites in browsers rather than server environments. The attack required multiple steps to be
Sort: