Relevant topics include Third Party Risk Management, Cryptocurrency Fraud, and Fraud Management & Cybercrime.
Developer Compromised by Phishing Attack Involving a Malicious Email
An attacker compromised 18 widely-used npm packages by embedding cryptocurrency theft malware after successfully socially engineering the developer to disclose his credentials for the JavaScript runtime environment.
Aikido Security has reported that the affected packages accumulate over two billion downloads weekly. On the day of the attack, they observed malicious code being inserted into these packages, targeting crypto and web3 activity within users’ browsers.
Developer John Junon admitted to being compromised after receiving a phishing email purportedly from npmjs.help, which mistakenly urged him to update his two-factor authentication. This deceptive domain, a variant of npmjs.com, was registered shortly before the attack on September 5. Junon later noted that he fell victim to the attack by clicking through to this fraudulent link instead of accessing the legitimate site directly.
Fortunately, the developer was able to remove most of the tainted packages before npm administrators intervened to suspend his account. Junon announced later that his account had been reinstated and his packages restored. He also mentioned being contacted by law enforcement regarding the incident.
In terms of financial losses linked to this incident, Aikido’s lead malware researcher Charlie Eriksen stated that they have tracked approximately $970 worth of stolen funds directed to attacker-controlled wallets. He noted the incident’s financial ramifications have been unexpectedly limited, with the malicious packages having been downloaded around 2.6 million times before being removed.
The malware deployed in this attack contains obfuscated code that embeds itself in browsers and modifies network requests, allowing the attackers to manipulate transaction data before user confirmation. Notably, the malware scans networks for wallet addresses associated with popular cryptocurrencies, such as Ethereum and Bitcoin, intercepting and redirecting these funds to addresses controlled by the attackers.
Aikido has characterized this campaign as particularly perilous due to its multi-layered operations, impacting multiple facets like websites, API calls, and user applications. With the npm repository being a frequent target for supply chain attacks—often by injecting malicious code into trusted packages or uploading harmful packages disguised as popular downloads—such incidents underline significant security vulnerabilities.
Looking forward, Eriksen emphasized enhancing npm security by ensuring that package updates are strictly channeled through platforms like GitHub or GitLab, which incorporate essential review workflows. Paul Lizer, a technical specialist at Microsoft, warned that rapid release cycles and automation may allow malicious code to reach production environments within minutes, often without human oversight.
Chris Wood, principal of application security at Immersive, remarked that while this specific attack seemed relatively straightforward, it could open pathways for larger-scale corporate breaches. He highlighted a critical weakness in open-source software, where developers incorrectly assume that code pulled from public repositories is secure. This incident serves as a reminder of the risks posed when maintainers are compromised, emphasizing the need for developers to adopt a ‘trust but verify’ approach in their software supply chains.
In terms of MITRE ATT&CK framework implications, the tactics potentially at play in this attack included initial access—facilitated by the phishing email, followed by credential access resulting from the successful social engineering. Given the nature of the malware, persistence and privilege escalation tactics might have also been employed to maintain a foothold within compromised systems.
*Updated September 9, 2025, 18:17 UTC: Includes comments from Aikido Security’s Charlie Eriksen.
