Book A Live Demo
CloudDefense.AI Logo Black
Book A Live Demo

Security Alert: Popular npm packages briefly compromised (chalk, debug, color family)


A maintainer’s npm account was phished, and malicious versions of several widely used packages—chalk, debug, and a set of color/ANSI utilities—were published. Community reports and maintainer issues confirmed the tampering and the compromised versions were rapidly pulled. The payload acted as a crypto-drainer primarily when code ran in a browser context. 

Why it matters:

These packages see ~2+ billion weekly downloads combined. Even a short exposure window risks slipping bad code into builds, especially on auto-update pipelines. 

Root cause in brief:

The maintainer acknowledged a phishing email (“support@npmjs.help”) that led to account takeover and malicious publishes.

What the malware tried to do

The injected script targeted Web3/crypto activity in the browser—intercepting wallet interactions and attempting to redirect funds/approvals to attacker-controlled addresses. (Server-only Node.js usage was less impacted because the payload checks for a browser window context.)

Affected package versions (as reported)

				
					debug@4.4.2
chalk@5.6.1
ansi-styles@6.2.2
supports-color@10.2.1
strip-ansi@7.1.1
ansi-regex@6.2.1
wrap-ansi@9.0.1
color-convert@3.1.1
color-name@2.0.1
color-string@2.1.1
color@5.0.1
is-arrayish@0.3.3
slice-ansi@7.1.1
simple-swizzle@0.2.3
supports-hyperlinks@4.1.1
has-ansi@6.0.1
chalk-template@1.1.1
backslash@0.2.1

How to quickly check & fix (keep it simple)

  • Search your lockfile (package-lock.json/yarn.lock/pnpm-lock.yaml) for the exact versions above. If found, bump/pin to a safe version and rebuild.
  • Run npm ls <pkg> (or yarn why, pnpm why) for a few of the packages (e.g., chalk, debug, strip-ansi) to confirm resolved versions.
  • Reinstall clean: delete node_modules + lockfile → reinstall to ensure the malicious version is gone.
  • Clear caches (npm cache clean –force or tool equivalent) and rebuild assets.
  • If you ship browser code or work with Web3 wallets, audit recent transactions/approvals and rotate any exposed secrets/tokens.
  • Secure your publisher accounts: enable strong 2FA and verified publishing (e.g., Trusted Publishing), and treat any look-alike “npm support” emails as suspicious. 

Take from Incident

This was a fast-moving supply-chain incident with a short exposure window. The open-source community’s quick response helped limit impact, but it’s a clear reminder: lock your dependencies, review publisher changes, and harden release pipelines. For teams building in or near Web3, add extra guardrails around wallet interactions and front-end bundles.

Picture of Anshu Bansal
Anshu Bansal
Anshu Bansal, a Silicon Valley entrepreneur and venture capitalist, currently co-founds CloudDefense.AI, a cybersecurity solution with a mission to secure your business by rapidly identifying and removing critical risks in Applications and Infrastructure as Code. With a background in Amazon, Microsoft, and VMWare, they contributed to various software and security roles.
Share:

Table of Contents

Get FREE Security Assessment

Get a FREE Security Assessment with the world’s first True CNAPP, providing complete visibility from code to cloud. 

Book Now
Related Articles
Load More
CloudDefense.AI White horizontal Logo
Protect your Applications & Cloud Infrastructure from attackers by leveraging CloudDefense.AI ACS patented technology.

579 University Ave, Palo Alto, CA 94301

sales@clouddefense.ai

Linkedin Twitter Facebook-f Youtube Pinterest Medium
DevSecOps
ISO
GDPR
Cloud Security
SOC 2 Type 1
SOC 2 Type 2
About
Resource