Compromise of Popular NPM Packages Debug and Chalk

At a glance

• Supply Chain Attack Targeting NPM Debug and Chalk Packages.
• Malicious Code Injected into Popular NPM Packages
• Backdoored package versions designed to intercept crypto/Web3 wallet activity and redirect funds to attacker-controlled addresses.

Observation Summary

• A recent supply chain attack compromised two widely used NPM packages, Debug and Chalk, after an attacker gained access to a maintainer’s account through a phishing campaign. Malicious code was injected into updated versions of these packages, designed to target browser environments and intercept cryptocurrency wallet transactions.
• The affected versions were quickly removed, but the incident highlights the growing risks of open-source dependency compromises.

What's Happening

• Attackers sent a phishing email from a fake domain (support@npmjs.help).
• The NPM packages “Debug” and “Chalk”, along with several dependencies were compromised after the attacker phished the maintainer’s credentials.
• The attacker achieved account takeover by sending a fake NPM support email prompting the maintainer to reconfigure 2FA, leading to full package publishing access.
• The maintainer’s npm account was compromised. A malicious version of these packages was uploaded to the NPM registry, containing obfuscated JavaScript code that executed under specific conditions.
• The payload was designed to activate only in browser environments, checking for objects like window and window. ethereum (commonly used in crypto wallets).
• Once triggered, the malware intercepted and modified cryptocurrency wallet API calls, potentially redirecting transactions to attacker-controlled addresses.

Indicators of Compromise (IOCs)

• Malicious versions: debug@4.4.2, chalk@5.6.1, ansi-styles@6.2.2
• Phishing domain: npmjs.help
• Malicious code behaviour: obfuscated scripts checking for “window.ethereum“and hooking into wallet transaction functions.

Why It Matters

• The compromised packages are foundational in the JavaScript ecosystem, with billions of weekly downloads, meaning a vast number of projects and developers were potentially affected.
• The malicious code specifically targeted cryptocurrency wallet transactions, creating a direct risk of fund theft for end-users and applications interacting with Web3 technologies.
• Developers and organizations rely on open-source packages, and such attacks undermine trust in widely used libraries.
• Organizations may face downtime, remediation costs, and reputational risk while auditing dependencies and ensuring no compromised versions remain in use.

Recommendations

User Awareness

• Be cautious of phishing emails claiming to be from NPM or support teams.
• Avoid clicking links or providing credentials in suspicious emails.
• Report any suspicious activity or unexpected prompts to the security team.
• Understand that even trusted open-source software can be a vector for attacks.

Technical Defence

• Check all projects to see if they are using the affected package versions.
• Downgrade or lock packages to versions that are known to be safe.
• Delete node modules and lock files (package-lock. Json or yarn. Lock) and reinstall packages.
• Change any API keys, tokens, or wallet secrets that could have been exposed.
• Monitor any crypto wallets or transactions for unusual activity.
• Use multi-factor authentication (MFA) and hardware tokens for package publishing accounts.
• Wait for the community to confirm new package versions are safe before using them.
• Educate your team about supply chain attacks and safe package management practices.