Monorepo

npm Supply Chain Attack Targets 187 Packages with Evolving Worm Tactics

npm Supply Chain Attack Targets 187 Packages with Evolving Worm Tactics
source: gettyimages
September 19, 2025

The npm platform is currently under a significant security threat, with cybercriminals compromising at least 187 packages—and the number is still rising. This ongoing supply chain attack shares similarities with previous campaigns, notably the one targeting Nx at the end of August, where attackers posted developer secrets like credentials on public GitHub repositories.

Recent Developments and Attack Methodology

First identified by Socket and Step Security on September 15, the latest campaign initially affected 40 packages. However, malware researcher Charlie Eriksen from Aikido reports that an additional 147 packages have been compromised using similar techniques, including some from cybersecurity powerhouse CrowdStrike.

Eriksen warns that the attackers have "upped their game," evolving their approach to develop a self-propagating worm that can spread across projects without direct intervention.

How the Malware Operates

The malicious payload is embedded into widely-used npm packages. When a victim installs a compromised package, the code executes on their system to steal secrets, credentials, and system information. Key features of this attack include:

Notable Packages and Responses

Among affected packages are those associated with CrowdStrike; the most prominent publicly visible package as of Monday was `@ctrl/tinycolor`, with approximately 2.2 million weekly downloads.

CrowdStrike responded swiftly, removing malicious packages and rotating their keys, confirming that their Falcon platform remains unaffected and customers are protected. They emphasized ongoing collaboration with npm and thorough investigations.

Recommendations for Developers and Maintainers

This attack exposes the growing sophistication of supply chain malware, emphasizing the importance of vigilant security practices in open-source ecosystems.

---

Sources & Further Reading:

Related links

By submitting, I confirm I have the right to share this link and I agree to link back to this article from the submitted page. Duplicate URLs are rejected. Up to 5 links per page.

GraphQL · 148 ms 
query Q($id: Int!, $domain: Int!, $srcId: Int!, $hasSrc: Boolean!, $hasSelf: Boolean!) {
  self: qa_ai(where: {id: {_eq: $id}}, limit: 1) @include(if: $hasSelf) { id title text date }
  linksarticle: qa_ai(where: {domain: {_eq: $domain}, id: {_neq: $id}}, order_by: {id: desc}, limit: 8) { id title }
  linksbottom: qa_ai(where: {domain: {_neq: $domain}, id: {_lt: $id}}, order_by: {id: desc}, limit: 3) { id title domain }
  source: qa_ai(where: {id: {_eq: $srcId}}, limit: 1) @include(if: $hasSrc) { id title }
}
{
  "id": 6644051,
  "domain": 7,
  "srcId": 0,
  "hasSrc": false,
  "hasSelf": true
}