MacMusic  |  PcMusic  |  440 Software  |  440 Forums  |  440TV  |  Zicos
packages
Search

npm debug and chalk packages compromised (Aikido)

Monday September 8, 2025. 07:45 PM , from LWN.net
The Aikido blog describes
an apparently ongoing series of phishing attacks against npm package
maintainers, resulting in the uploading of compromised versions of heavily
used packages:

All together, these packages have more than 2 billion downloads per
week.

The packages were updated to contain a piece of code that would be
executed on the client of a website, which silently intercepts
crypto and web3 activity in the browser, manipulates wallet
interactions, and rewrites payment destinations so that funds and
approvals are redirected to attacker-controlled accounts without
any obvious signs to the user.
Read more at LWN.net
https://lwn.net/Articles/1037167/

Related News

packages More packages poisoned in npm attack, but would-be crypto thieves left pocket change TheRegisterSep 9
compromised Hackers Hijack npm Packages With 2 Billion Weekly Downloads in Supply Chain Attack SlashdotSep 8
npm Dev snared in crypto phishing net, 18 npm packages compromised TheRegisterSep 8
aikido The Duty-Free Loophole Is Closing. What That Means for You—and Your Packages Wired: Tech.Aug 28
debug Nx NPM packages poisoned in AI-assisted supply chain attack TheRegisterAug 27
chalk Survey Finds More Python Developers Like PostgreSQL, AI Coding Agents - and Rust for Packages SlashdotAug 25
packages Microsoft is Trying To Poach Meta AI Talent and Offering Multimillion-Dollar Pay Packages SlashdotAug 12
compromised Rust's Annual Tech Report: Trusted Publishing for Packages and a C++/Rust Interop Strategy SlashdotAug 10
npm Tailor drew chalk portraits on fabric BoingBoingAug 5
aikido [$] Debian grapples with offensive packages, again LWN.netAug 4
debug Trump Ends Tariff Exemption for Small Packages Wired: Tech.Jul 31
News copyright owned by their original publishers | Copyright © 2004 - 2025 Zicos / 440Network
Current Date
Sep, Wed 10 - 01:09 CEST