A hacker has compromised more than a dozen widely used open-source software modules after tricking a programmer with a phishing email, injecting malicious code designed to steal cryptocurrency.
The attack, discovered on September 8, 2025, involved 18 npm packages that collectively see over 2 billion weekly downloads, according to Aikido Security. These JavaScript libraries provide everyday functions such as text formatting and font conversion, making them essential building blocks for countless software projects.
How the Hack Happened
Josh Junon, the maintainer of the affected packages, confirmed on Monday that his account had been taken over following a phishing email. The email appeared to come from npm’s official domain but was actually sent from npmjs[.]help, a lookalike site. It posed as a security alert urging a two-factor authentication update, which gave the attacker direct access to Junon’s account.
Once inside, the hacker replaced safe package versions with malware. The injected code targeted cryptocurrency transactions by hijacking browsers and redirecting payments to attacker-controlled wallets.
Why It Matters
-
18 npm packages compromised
-
2 billion weekly downloads normally affected
-
Phishing email exploited GitHub-owned npm branding
-
Malware swapped crypto transactions to hacker’s address
-
Fast community response limited the damage
Aikido Security described the breach as “the largest supply chain compromise in npm history.” However, security firm Semgrep noted that because the malicious versions were online briefly and recorded minimal downloads, the overall impact is likely small.
Security Community Reacts
Researchers moved quickly to identify and remove the infected packages. Florian Roth, a well-known security expert, called the compromise serious but said the payload itself was “amateur-grade,” suggesting the attacker had access but not advanced technical skills.
Still, the incident raises alarms about the fragility of open-source ecosystems. Millions of developers depend on npm packages without fully vetting the code. As Socket, another security provider, explained, “All it takes is one compromised maintainer for the malware to spread downstream.”
Looking Ahead
The breach highlights how phishing, rather than sophisticated exploits, continues to be one of the most effective ways for attackers to penetrate critical software infrastructure. It also underscores the need for stronger verification processes for package maintainers to protect the software supply chain.
