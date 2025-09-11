What happened in the attack?

The incident involved popular utility libraries essential for tasks like color manipulation, debugging, and ANSI string handling in JavaScript applications. The compromised packages included

ansi-regex (version 6.2.1)

ansi-styles (6.2.2)

backslash (0.2.1)

chalk (5.6.1)

chalk-template (1.1.1)

color-convert (3.1.1)

color-name (2.0.1)

color-string (2.1.1)

debug (4.4.2)

has-ansi (6.0.1)

is-arrayish (0.3.3)

simple-swizzle (0.2.3)

slice-ansi (7.1.1)

strip-ansi (7.1.1)

supports-color (10.2.1)

supports-hyperlinks (4.1.1)

wrap-ansi (9.0.1)

And others like color (5.0.1)

These packages collectively boast over 2 billion weekly downloads, making this one of the largest supply chain incidents in npm's history. The attackers injected obfuscated JavaScript code designed to act as a cryptocurrency stealer. By wrapping browser APIs, the malware intercepted web3 transactions and silently replaced wallet addresses to redirect funds to the attacker's control.

Fortunately, the attack was detected quickly—thanks in part to a well-known obfuscator that made the malicious code easier to spot. Although the compromised versions were downloaded over 2.5 million times, the actual financial impact was minimal, with only around $500 in stolen cryptocurrency reported. Still, the potential for widespread damage was enormous, highlighting how a single point of failure in the open source ecosystem can ripple through countless applications.