In a significant development within the JavaScript ecosystem, a widespread supply chain attack has compromised over 500 npm packages, including popular ones like debug and chalk. This breach, which began on September 8, 2025, has affected packages collectively downloaded more than 2.6 billion times per week, making it one of the most extensive npm supply chain incidents in recent history.
The attack was initiated through a targeted phishing campaign that compromised a maintainer’s account. Once access was gained, attackers injected malicious code into the affected packages. This code was designed to intercept cryptocurrency transactions in web browsers, redirecting funds to addresses controlled by the attackers. The malware targeted various cryptocurrencies, including Ethereum, Solana, and Bitcoin.
Security experts have termed this malware “Shai-Hulud,” describing it as a self-replicating worm that spreads by exploiting compromised npm packages. The worm has been identified in over 180 packages, posing a significant threat to the integrity of the npm ecosystem.
In response to this breach, GitHub has announced enhanced security measures for the npm ecosystem. These include stricter authentication protocols, such as mandatory two-factor authentication (2FA) for publishing packages, and limitations on the lifespan of granular tokens to seven days. GitHub aims to mitigate the risks associated with supply chain attacks and strengthen the overall security posture of the npm registry.
Developers are urged to audit their dependencies and update to the latest secure versions of affected packages. Additionally, enabling 2FA and following best practices for secure software development can help protect against similar attacks in the future.
