Massive npm Supply Chain Attack: Qix’s Account Compromised, Billions of Weekly Downloads at Risk

Socket has detected a large-scale supply chain attack in progress targeting the npm ecosystem. The account of prolific maintainer Qix was compromised, leading to the publication of malicious versions of foundational JavaScript packages that collectively receive billions of downloads per week.

According to Socket, “The account of prolific maintainer Qix has been compromised, and attackers have already published malicious versions of widely used packages. These packages generally receive 2–3 billion downloads per week.”

Many of these projects were co-maintained with Sindre Sorhus, the most popular npm maintainer by download count. This overlap dramatically widened the impact radius. As the report warns: “By compromising Qix, the attackers gained the ability to push malicious versions of packages that are indirectly depended on by countless applications, libraries, and frameworks.”

Socket confirmed that at least 20+ core packages were trojanized, including chalk@5.6.1, debug@4.4.2, ansi-styles@6.2.2, supports-color@10.2.1, strip-ansi@7.1.1, wrap-ansi@9.0.1, color-convert@3.1.1, chalk-template@1.1.1, backslash@0.2.1, and proto-tinker-wc@1.8.7.

These libraries are integral to formatting, debugging, and rendering in Node.js applications — meaning nearly every JavaScript project could be exposed if pulling the latest versions.

Qix himself confirmed the compromise via Bluesky, stating: “Yep, I’ve been pwned. 2FA reset email, looked very legitimate.

Only NPM affected. I’ve sent an email off to @npmjs.bsky.social to see if I can get access again. Sorry everyone, I should have paid more attention. Not like me; have had a stressful week. Will work to get this cleaned up.”

The phishing email appeared to originate from support@npmjs.help and spoofed npm branding. It falsely claimed outdated 2FA credentials would soon cause the account to be locked, luring Qix into clicking a fake “Update 2FA Now” link.

Socket highlights the lesson: “This shows how easily credible-looking 2FA reset emails can slip past even experienced maintainers, and why attackers continue to rely on phishing as a way to compromise high-value accounts in the open source ecosystem.”

Once installed, the malicious code performs crypto wallet address hijacking.

Socket explains: “Once deobfuscated, the intent becomes clear. Simply put, the actor swaps any crypto transactions to their own address, redirecting any currency to their accounts.”

The malware:

• Scans strings and API calls for wallet addresses (ETH, BTC, LTC, BCH, TRON, Solana).
• Chooses the “nearest” attacker address from preloaded lists using Levenshtein distance.
• Replaces the victim’s address in the transaction payload.
• Hooks fetch() and XMLHttpRequest to rewrite network responses on the fly, modifying JSON and text before the app sees them.

Critically, the malware also targets DEX routers like Uniswap V2/V3, PancakeSwap, SushiSwap, and 1inch, replacing recipient parameters during swaps.

Socket advises immediate action:

• “Do not upgrade to these compromised versions.”
• Lock dependencies to previously safe releases.
• Audit recent installs and CI/CD builds for compromise indicators.

Related Posts:

• Popular ‘is’ JavaScript Library & Others Compromised in npm Supply Chain Attack
• PyPI’s New Rule: 2FA Verification for All Project Maintainers
• PyPI Warns of Sophisticated Phishing Campaign Targeting Python Developers
• 11 Russian Linux Kernel Developers Lose Maintainer Status Due to “Compliance Requirements”
• BIND Security Updates: Patch Your DNS Servers Now