Security | Threat Detection | Cyberattacks | DevSecOps | Compliance

Over night, starting at 01:16 UTC on September 9th, we were alerted to more packages being compromised, these included: These packages all had a new version 1.3.3 released (In the case of the wasm version, it was version 1.29.2), which contained the same malicious code as we saw in the compromise of packages with 2 billion+ downloads.

Aviram Shmueli is a distinguished cybersecurity and cloud computing expert with a background steeped in 8200 and the Israeli Ministry of Defense. He has over 20 years of hands-on and senior managerial experience in engineering and product management. Yesterday, a critical supply chain attack impacting 18 widely used npm packages was disclosed. These packages collectively account for nearly 2 billion weekly downloads.

The NPM ecosystem faced another significant supply chain attack when 18 popular packages, including highly-used libraries like debug and chalk, were compromised with advanced cryptocurrency drainer malware. This attack, affecting packages with over 2 billion weekly downloads, demonstrates how cybercriminals are leveraging trusted software distribution channels to deploy advanced Web3 wallet hijacking code.

On Monday, September 8th, a highly regarded open source developer, ~qix, was compromised via a phishing email. ~qix is an author and maintainer behind a large number of popular npm packages and found himself caught by this attack after responding to a message from the email address of support help. This resulted in the attacker taking over his npm account and having access to publish malicious versions of packages to which Qix had privileged access.

In 2021, a critical vulnerability in a popular Node.js library allowed hackers to carry out code injection and silently compromise thousands of applications, with disastrous effects. It wasn’t a brute-force attack. It wasn’t ransomware. It was some wittily constructed pieces of malevolent code that got through defences and provided attackers with complete carte blanche. Code injection attacks are no longer rare. They’re alarmingly common.

Last night, our automated Aikido Intel system alerted us that potentially malicious code was detected in some packages within the @nx scope, which include packages with as many as ~6 million weekly downloads. The scope and impact of this breach are significant, as the attacker chose to publish the stolen data directly on GitHub, rather than sending it to their own servers. This means that there’s a SIGNIFICANT amount of credentials that are publicly available on GitHub.

On August 26–27, 2025 (UTC), eight malicious Nx and Nx Powerpack releases were pushed to npm across two version lines and were live for ~5 hours 20 minutes before removal. The attack also impacts the Nx Console VS Code extension.

Our security monitoring systems recently flagged a suspicious npm package, os-info-checker-es6, which represents a sophisticated and evolving threat within the npm ecosystem. What initially appeared as a simple OS information utility quickly unraveled into a sophisticated multi-stage malware attack. This campaign employs clever Unicode-based steganography to hide its initial malicious code and utilizes a Google Calendar event short link as a dynamic dropper for its final payload.

During an Advanced Continual Threat Hunt (ACTH) investigation conducted in early March 2025, Trustwave SpiderLabs identified a notable resurgence in malicious campaigns exploiting deceptive CAPTCHA verifications. These campaigns trick users into executing NodeJS-based backdoors, subsequently deploying sophisticated NodeJS Remote Access Trojans (RATs) similar to traditional PE structured legacy RATs.