npm debug and chalk packages compromised Published: September 8, 2025 Author: Charlie Eriksen, Malware Researcher at Aikido Security --- Overview Starting at September 8th, 13:16 UTC, Aikido's intel feed flagged a series of popular npm packages containing malicious code. The affected packages (18 total) include high-download packages such as: backslash (0.26M downloads/week) chalk-template (3.9M) supports-hyperlinks (19.2M) has-ansi (12.1M) simple-swizzle (26.26M) color-string (27.48M) error-ex (47.17M) color-name (191.71M) is-arrayish (73.8M) slice-ansi (59.8M) color-convert (193.5M) wrap-ansi (197.99M) ansi-regex (243.64M) supports-color (287.1M) strip-ansi (261.17M) chalk (299.99M) debug (357.6M) ansi-styles (371.41M) The malicious updates added obfuscated code that executes in browsers, silently intercepting crypto and Web3 activities, manipulating wallet interactions, and redirecting payments to attacker-controlled accounts without users noticing. --- What happened? Maintainers published updated versions of the above packages with changed index.js files containing obfuscated malicious code. The malware silently hijacks browser-level functions like fetch and XMLHttpRequest, as well as wallet API interfaces (e.g., window.ethereum, Solana). It detects blockchain transactions and wallet addresses in network traffic. It replaces legitimate addresses with attacker-controlled lookalike addresses, including Ethereum, Bitcoin, Solana, Tron, Litecoin, and Bitcoin Cash formats. Transaction payloads are intercepted and altered before user signs, so UI looks normal but funds go to the attacker. Malware uses string matching to swap sensitive data stealthily. If a crypto wallet is found, the malware avoids obvious UI changes to reduce suspicion. The code continuously runs silently to capture and modify transactions. Sample code snippets in the compromised packages reveal functions intercepting and modifying wallet-related calls. --- How the malware works (step-by-step) Injection into browser: Hooks core network and wallet APIs (fetch, XMLHttpRequest, window.ethereum, Solana, etc.). Monitoring: Watches network responses and transaction data for wallet addresses or transfer info using regex that covers multiple blockchain formats. Address replacement: Rewrites destination addresses and approval targets to attacker-controlled Bitcoin, Ethereum, Solana, Tron, Litecoin, and Bitcoin Cash addresses, often using visually similar characters to fool detection. Transaction hijacking: Alters Ethereum and Solana transaction parameters like recipients, allowances, approvals before signing. Stealth: Avoids obvious UI changes when wallets are detected; keeps hooks persistent and silent. --- Maintainer response After being notified by Aikido on the Bluesky platform, the maintainer acknowledged the compromise at 15:15 UTC and began cleanup. The attacker apparently gained access via a phishing email sent from support [at] npmjs [dot] help. Most compromised package versions were deleted by the author before losing access. Some packages, like simple-swizzle, remain compromised at time of writing. --- Indicators of Compromise (Compromised Package Versions) | Package | Version | |---------------------|---------| | backslash | 0.2.1 | | chalk-template | 1.1.1 | | supports-hyperlinks | 4.1.1 | | has-ansi | 6.0.1 | | simple-swizzle | 0.2.3 | | color-string | 2.1.1 | | error-ex