Type
Incident
Actors
Unknown
Pub. date
September 8, 2025
Initial access
End-user compromise
Impact
Supply chain attack
Observed techniques
Supply Chain Compromise
Targeted technologies
npm
References
https://www.wiz.io/blog/widespread-npm-supply-chain-attack-breaking-down-impact-scope-across-debug-chalk
Status
Finalized
Last edited
Sep 30, 2025 1:21 PM
On September 8, 2025, malicious new versions of 18 popular npm packages maintained by a developer known as Qix (incl. debug@4.4.2, chalk@5.6.1) were published to npm. If those versions were pulled into a frontend build and served to users, the injected code runs in the browser and can silently redirect crypto transactions (recipients/approvals) to attacker-controlled addresses. The maintainer acknowledged a compromise around 15:15 UTC and began cleanup.
On September 9, 2025, JFrog reported that more packages were affected: @duckdb/node-api@1.3.3, @duckdb/duckdb-wasm@1.29.2, @duckdb/node-bindings@1.3.3, duckdb@1.3.3, proto-tinker-wc@0.1.87, and @coveops/abi@2.0.1.