A Guide to the Recent Node Package Manager (NPM) Compromise

Updated: Sept. 17, 2025

Introduction 

Node Package Manager (NPM) is the default package manager for JavaScript and Node.js. It allows developers to share, download, and integrate reusable bits of code called packages. These packages form the backbone of modern software development: from small utilities like string formatting to large frameworks powering web applications. But with this convenience comes risk. When attackers compromise an NPM package, the impact can cascade across thousands of applications worldwide. The latest NPM compromise involving popular packages like debug, chalk and later expanding to over 180 packages (as of Sept. 17, 2025) highlights why supply chain security is one of the biggest concerns for developers and enterprises today. 

Recent Compromise

In September 2025, attackers successfully compromised 18 widely used NPM packages, including debug, chalk, ansi-styles, and strip-ansi. These packages collectively have billions of weekly downloads. The attack began with a phishing campaign targeting a package maintainer. The phishing email, impersonating an NPM support request, tricked the maintainer into revealing credentials, allowing attackers to publish malicious versions of these packages. 

The malicious code injected into these versions was sophisticated: 

• It wrapped browser APIs like fetch and XMLHttpRequest. 

• It intercepted calls to crypto wallets and Web3 APIs. 

• It aimed to steal or redirect cryptocurrency transactions. 

The compromised versions were live for approximately two hours before being detected and rolled back, but that was enough for some developers and CI/CD pipelines to pull in the malicious code. 

Escalation: S1ngularity/nx and the Worm Campaign 

A week after the initial compromise, researchers observed a second wave of attacks by the same group, tracked as S1ngularity/nx. This time, the scope was much larger and included: 

• 187 packages compromised in total (40 initially, then 147 more). 

• Malware evolved into a worm (“Shai-Hulud”) with advanced propagation features. 

• Capabilities included: 
  • Harvesting secrets from environment variables, .npmrc files, and cloud metadata endpoints. 
  • Using tools like TruffleHog to scrape sensitive data. 
  • Exfiltrating secrets into malicious GitHub repositories. 
  • Injecting malicious GitHub Actions workflows for persistence and spread. 
  • Flipping private GitHub repos to public to expose sensitive data. 

This evolution shows the shift from a targeted compromise to a self-propagating supply chain worm. 

Fig. 1: Timeline of the September 2025 NPM compromises – escalating from a short-lived package hijack to a worm-level supply chain campaign. 

Impact  

CrowdStrike-maintained NPM packages were impacted in this campaign. This is a significant escalation because it shows attackers are not only targeting hobby or low-maintenance libraries, but also trusted security vendors’ packages. The compromise of packages such as @crowdstrike/commitlint, @crowdstrike/falcon-shoelace, and @crowdstrike/foundry-js demonstrates that no ecosystem participant is immune, and emphasizes the need for constant vigilance, supply chain monitoring, and third-party validation. 

CrowdStrike stated that after detecting malicious NPM packages, they swiftly removed them, rotated their keys in public registries, and confirmed that Falcon sensor was not impacted and customers remain protected while a thorough investigation is ongoing. 

The incident has caused alarm across the developer community and enterprise security teams because: 

• Massive Reach: Popular packages like debug and chalk are dependencies in thousands of projects. 
• Transitive Risk: Even if your app doesn’t depend on the affected package directly, a downstream dependency might. 
• Financial Risk: With targeting of crypto wallets, the potential for theft and fraud is immediate. 
• Trust Erosion: Developers trust package maintainers and registries; a compromise undermines this trust model. 
• Worm Propagation: Unlike the first wave, the Shai-Hulud malware could autonomously spread, escalating impact. 

This is why discussions around supply chain attacks via NPM are not just technical, they affect business outcomes, security, and reputation. 

Technical Details 

Affected Packages and Versions 

While the full list is evolving, here are some confirmed compromised packages: 

• ansi-styles  

• debug  

• backslash  

• chalk-template  

• supports-hyperlinks  

• has-ansi  

• simple-swizzle  

• color-string  

• error-ex  

• color-name  

• is-arrayish  

• slice-ansi  

• color-convert  

• wrap-ansi  

• ansi-regex  

• supports-color  

• strip-ansi  

• chalk  

Later waves extended this list to 187 packages, including libraries tied to frontend tooling, color utilities, and even packages linked to CrowdStrike dependencies. The malicious versions were published around Sept 8, 2025 (first wave) and Sept 16, 2025 (worm campaign). If your builds occurred during these timeframes, you may have been impacted. 

Extended Affected Packages: 

Check To Verify If You’ve Been Affected 

• Inspect Dependency Trees: Run npm ls or yarn list to see if your project uses any affected packages. 
• Check Lockfiles: Review package-lock.json, yarn.lock, or pnpm-lock.yaml for references to the bad versions. 
• Search CI/CD Logs: Look for builds that ran during the compromise window. 
• Audit Bundles: For frontend applications, scan-built JavaScript bundles to see if compromised code is included. 
• Use SBOMs: If you generate a Software Bill of Materials (SBOM), search it for affected versions. 
• Check GitHub Repos: Validate if any repositories had suspicious workflow files, unexpected commits, or suddenly flipped to public. 

Hunting Queries 

Below are sample queries you can use as starting points to proactively search for malicious activity. When using these remember to:

• Treat these as templates, replace indexes, table names, and field names to match your environment. 
• Create a package watchlist / lookup file : 
• Maintain a controlled list of affected package names and version patterns in a central lookup or watchlist. This makes it easy to update detection rules when new packages are added and avoids repeatedly editing queries. 

In CI/CD Environments: 

In SIEM & EDR: 

KQL 

SPL 

Yara-L 

CS 

S1

Real-World Detection Example 

Using Splunk, we ran a targeted query against web proxy logs to detect downloads of the compromised NPM package versions. The query matched on specific package names and version patterns associated with the September 2025 attack. 

Fig. 1: Detection of malicious NPM package versions in Splunk web proxy logs 

Detections observed included: 

• strip-ansi@7.1.1 

• ansi-regex@6.2.1 

• ansi-styles@6.2.2 

• debug@4.4.2 

• error-ex@1.3.3 

These events were logged as downloads from registry.npmjs.org over port 443. The results provided visibility into which hosts and IP addresses in the environment had pulled malicious packages.  

Action Items: 

• Confirm whether the packages were included in builds. 

• Investigate if developers or CI/CD agents pulled the versions. 

• Hunt for subsequent execution of malicious JavaScript payloads. 

This case demonstrates the importance of monitoring both package downloads and runtime behaviors. 

SOC Observations: 

When the above detections were validated in Microsoft Defender for Endpoint (MDE): 

• DeviceNetworkEvents showed connections to registry.npmjs.org, but there were no DeviceFileEvents confirming persistence of the malicious packages. 

• The impacted host was identified as a Git-runner, which installs dependencies during builds and then deletes them, explaining the absence of file artifacts. 

• Analysts observed some npm install –ignore-scripts activity, but it occurred prior to the compromise and did not include vulnerable versions. 

Key takeaway: In CI/CD and build environments, malicious dependencies may not leave behind file traces. Defenders should focus on network telemetry, installation logs, and package resolution events when hunting for supply chain compromises. 

Recommendations 

Recommendations for mitigation and prevention include: 

• Upgrade Immediately: Update to the latest safe versions released after the compromise. 

• Audit Pipelines: Ensure builds during the compromise window are redeployed with clean dependencies. 

• Enable 2FA: Maintainers should enforce strong MFA to prevent phishing-based account takeovers. 

• Pin Dependencies: Use exact version pinning in lockfiles. 

• Generate and Monitor SBOMs: Helps quickly identify impacted builds. 
  
• Monitor GitHub Activity: Watch for unexpected workflow file changes or repos flipping public. 

• Use Trusted Registries: Mirror or proxy registries with malware scanning. 

Indicators of Compromise

File Hashes: 

• Malicious bundle.js SHA-256: 46faab8ab153fae6e80e7cca38eab363075bb524edd79e42269217a083628f09 

• de0e25a3e6c1e1e5998b306b7141b3dc4c0088da9d7bb47c1c00c91e6e4f85d6 

• 81d2a004a1bca6ef87a1caf7d0e0b355ad1764238e40ff6d1b1cb77ad4f595c3 

• 83a650ce44b2a9854802a7fb4c202877815274c129af49e6c2d1d5d5d55c501e 

• 4b2399646573bb737c4969563303d8ee2e9ddbd1b271f1ca9e35ea78062538db 

• dc67467a39b70d1cd4c1f7f7a459b35058163592f4a9e8fb4dffcbba98ef210c 

• 46faab8ab153fae6e80e7cca38eab363075bb524edd79e42269217a083628f09 

• b74caeaa75e077c99f7d44f46daaf9796a3be43ecf24f2a1fd381844669da777 

Network Indicators: 

• Exfiltration endpoint: https://webhook.site/bb8ca5f6-4175-45d2-b042-fc9ebb8170b7 

File System Indicators:

• Presence of malicious workflow file: .github/workflows/shai-hulud-workflow.yml 

Suspicious Function Calls:

• NpmModule.updatePackage 

Suspicious API Calls:

• AWS Secrets Manager: secretsmanager.*.amazonaws.com (esp. BatchGetSecretValueCommand) 

• GCP: secretmanager.googleapis.com 

• NPM Registry: registry.npmjs.org/v1/search 

• GitHub API: api.github.com/repos 

Suspicious Process Executions:

• TruffleHog execution with filesystem / arguments 

• npm publish –force commands 

• curl calls to webhook.site domains 

Conclusion 

The September 2025 NPM compromises are a reminder of the fragility of modern software supply chains. What began as a two-hour malicious package injection escalated into a worm-level campaign capable of harvesting secrets and spreading across ecosystems. 

By auditing dependencies, monitoring builds, analyzing GitHub activity, and strengthening package security practices, developers and enterprises can reduce risk. But vigilance is key, supply chain attacks will remain one of the most dangerous vectors in software security. 

References

• Wiz.io Analysis 
• Upwind.io Coverage 
• Varonis Blog 
• Aikido Blog 
• Sonatype Blog 
• Aikido Blog: S1ngularity/nx Attackers Strike Again 
• StepSecurity Blog: ctrl-tinycolor and 40+ Packages