On September 8, 2025, the JavaScript ecosystem experienced one of its most severe supply chain attacks to date. Eighteen popular NPM packages, including widely-used libraries debug and chalk, were compromised through a sophisticated phishing attack. The incident exposed millions of developers to malware designed to hijack cryptocurrency transactions directly from web browsers.
The compromise began when a maintainer's NPM account fell victim to a convincing phishing email from a fake domain mimicking NPM's official communications. The attacker captured credentials and two-factor authentication codes, gaining full control of the account. Within hours, malicious versions of critical packages were published, each containing obfuscated code targeting web3 wallets and blockchain transactions.
The affected packages included debug@4.4.2, chalk@5.6.1, and sixteen other utilities with billions of collective weekly downloads. The malware specifically targeted browser environments, intercepting Ethereum transactions, manipulating API responses, and redirecting cryptocurrency to attacker-controlled addresses.
To help developers quickly identify compromised packages in their projects, here's an essential bash script that scans repositories for the exact malicious versions:
#!/bin/bash
# Define compromised packages and versions
declare -A compromised=(
["debug"]="4.4.2"
["chalk"]="5.6.1"
["supports-hyperlinks"]="4.1.1"
["chalk-template"]="1.1.1"
["slice-ansi"]="7.1.1"
["wrap-ansi"]="9.0.1"
)
# Get scan directory from parameter or use current directory
SCAN_DIR="${1:-.}"
# Validate directory exists
if [ ! -d "$SCAN_DIR" ]; then
echo "❌ Error: Directory '$SCAN_DIR' does not exist"
exit 1
fi
echo "Scanning for compromised NPM packages in: $SCAN_DIR"
found=0
# Search through all package files in specified directory
find "$SCAN_DIR" -name "package*.json" -type f ! -path "*/node_modules/*" | while read file; do
for package in "${!compromised[@]}"; do
version="${compromised[$package]}"
# Check for exact version match
if grep -q "\"$package\".*\"[^\"]*$version" "$file"; then
echo "⚠️ ALERT: Found $package@$version in $file"
((found++))
fi
# Check lock files for transitive dependencies
lockfile="${file%/*}/package-lock.json"
if [ -f "$lockfile" ]; then
if grep -A 2 "\"$package\":" "$lockfile" | grep -q "\"version\".*\"$version\""; then
echo "⚠️ ALERT: $package@$version in lock file: $lockfile"
fi
fi
done
done
[ $found -eq 0 ] && echo "✅ No compromised packages detected" || echo "❌ Found $found compromised packages"The script above performs essential checks by scanning both direct dependencies in package.json files and transitive dependencies in lock files. It excludes node_modules directories to avoid false positives while ensuring comprehensive coverage of actual project dependencies.
When compromised packages are detected, immediate action is crucial. Update all affected packages to their latest secure versions, regenerate lock files, and audit your entire dependency tree. For applications handling cryptocurrency or financial transactions, conduct thorough security reviews and notify affected users immediately.
This incident underscores the importance of supply chain security in modern development. Enable registry-level two-factor authentication, regularly audit dependencies, implement automated security scanning in CI/CD pipelines, and consider using tools that verify package integrity before installation.
The attack's success through simple phishing highlights that technical controls alone aren't sufficient. Developer education about social engineering tactics and verification of official communications remains essential for ecosystem security.
The malicious code remained live for only two hours, but the potential impact was enormous. This rapid detection script provides a first line of defense, helping teams quickly identify and remediate compromised dependencies before they reach production environments.