Back to Blog

Threat Alert: Massive NPM Supply-Chain Compromise

Mustafa Naamneh

-

September 9, 2025

-

September 9, 2025

Massive NPM Supply-Chain Compromise

Earlier today, a major outbreak of malicious NPM packages was detected. This incident affects some of the most widely used libraries in the JavaScript ecosystem, with over 2 billion weekly downloads combined.

The compromise happened after a highly privileged maintainer’s account was hijacked, leading to malicious backdoored versions being published.

Affected packages include:

chalk-template 1.1.1 3.9m downloads per week
supports-hyperlinks 4.1.1 19.2m downloads per week
has-ansi 6.0.1 12.1m downloads per week
simple-swizzle 0.2.3 26.26m downloads per week
color-string 2.1.1 27.48m downloads per week
error-ex 1.3.3 47.17m downloads per week
color-name 2.0.1 191.71m downloads per week
is-arrayish 0.3.3 73.8m downloads per week
slice-ansi 7.1.1 59.8m downloads per week
color-convert 3.1.1 193.5m downloads per week
wrap-ansi 9.0.1 197.99m downloads per week
backslash 0.2.1 0.26m downloads per week
ansi-regex 6.2.1 243.64m downloads per week
supports-color 10.2.1 287.1m downloads per week
strip-ansi 7.1.1 261.17m downloads per week
chalk 5.6.1 299.99m downloads per week
debug 4.4.2 357.6m downloads per week
ansi-styles 6.2.2 371.41m downloads per week

Immediate Best Practices:

  1. Do NOT UPGRADE these packages until trusted maintainers/NPM confirm they are safe.
  2. Do not upgrade your lock files for now!
  3. Do NOT RUN NPM install for now to avoid malicious indirect packages install
  4. Pin exact versions in your package.json instead of using latest, or caret (^) ranges.

Dangerous config:

"ansi-regex": "latest"
"is-arrayish": "^0.3.0"

Safer config:

"ansi-regex": "5.0.1"
  • Audit your dependencies (e.g., npm ls ansi-regex) to detect transitive usage. / Or view the packages in your Backslash Tenant
  • Use & Validate lockfiles (package-lock.json / yarn.lock) to prevent unintentional upgrades. sdfdsgdsgdsfg

Useful links :

https://github.com/debug-js/debug/issues/1005#issuecomment-3266868187

https://news.ycombinator.com/item?id=45169657

https://bsky.app/profile/bad-at-computer.bsky.social

This incident is another reminder:

supply-chain security is fragile

Stay safe, stay patched, and always lock down your dependencies.