2025 NPM Supply Chain Breach: Phishing Attack on JavaScript Developer Risks Crypto Theft
Executive Summary
In September 2025, a targeted supply chain attack compromised at least 18 widely used JavaScript packages on the NPM repository after a key developer, Josh Junon, was phished. The attackers created a convincing fake NPM login website, stealing both credentials and a one-time 2FA token to access the developer's account. They injected malicious code into popular packages, enabling browser-based interception of cryptocurrency transactions and redirection of funds to attacker-controlled wallets. The breach was discovered rapidly by Aikido, which alerted the maintainer, enabling a swift cleanup and limiting broader damage.
This incident underscores the persistent risks lurking in open-source software supply chains, particularly as threat actors evolve their tactics to bypass conventional security controls using phishing and social engineering. The rapid containment averted a potentially devastating impact, but the episode highlights ongoing vulnerabilities in software ecosystems reliant on centralized package maintainers.
Why This Matters Now
The surge in supply chain attacks targeting software repositories like NPM exposes how a single compromised developer can endanger billions of downstream applications. As organizations increasingly depend on open-source code for critical infrastructure, robust authentication and automated malware scanning are urgent to thwart sophisticated attackers leveraging phishing techniques.
Attack Path Analysis
Attackers initiated the supply chain compromise by phishing an NPM developer, stealing credentials and 2FA tokens to gain unauthorized access. With elevated privileges, they injected malicious code into highly popular JavaScript packages. The adversaries then relied on the automatic distribution and use of these tainted packages by downstream developers, leading to lateral movement into countless websites and applications. Malicious code established command and control by manipulating browser APIs and intercepting network calls to covertly redirect cryptocurrency transactions. Exfiltration occurred as hijacked payments and approvals were routed to attacker-controlled accounts. Ultimately, the impact included silent theft of cryptocurrency and placed millions of web apps at risk for more destructive payloads.
Kill Chain Progression
Initial Compromise
Description
The attacker phished the credentials and 2FA token of an NPM developer by spoofing NPM's login page, gaining unauthorized access to the developer's NPM account.
Related CVEs
CVE-2025-XXXX
CVSS 9.8Malicious code injection in multiple npm packages allows unauthorized cryptocurrency transaction interception.
Affected Products:
Various Multiple npm Packages – Various versions as of September 8, 2025
Exploit Status:
exploited in the wild
MITRE ATT&CK® Techniques
Phishing: Spearphishing Attachment
Valid Accounts: Cloud Accounts
Supply Chain Compromise: Compromise Software Dependencies and Development Tools
Modify Authentication Process: Web Portal Modification
Create Account: Cloud Account
Obfuscated Files or Information
Man-in-the-Middle
Exfiltration Over Alternative Protocol
Potential Compliance Exposure
Mapping incident impact across multiple compliance frameworks.
PCI DSS 4.0 – Strong Authentication for All System Access
Control ID: 8.3.1
NYDFS 23 NYCRR 500 – Cybersecurity Policy; Multi-Factor Authentication
Control ID: 500.03; 500.12
DORA (Digital Operational Resilience Act) – ICT Risk Management; Third-Party Risk
Control ID: Art. 6(2), Art. 10
CISA Zero Trust Maturity Model 2.0 – Phish-resistant Authentication; Supply Chain Integrity
Control ID: Identity Pillar: Authentication; Device Pillar: Software Supply Chain
NIS2 Directive – Risk Management Measures & Supply Chain Security
Control ID: Art. 21(2)(d), (f)
Sector Implications
Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.
Computer Software/Engineering
Supply chain attacks targeting JavaScript packages directly compromise software development workflows, requiring enhanced zero trust segmentation and threat detection capabilities for code repositories.
Financial Services
Cryptocurrency theft malware in compromised packages threatens financial applications, necessitating egress security policy enforcement and encrypted traffic monitoring for payment system protection.
Internet
Web-based applications using NPM packages face browser manipulation risks, requiring multicloud visibility control and anomaly response systems to detect malicious code injections.
Information Technology/IT
IT infrastructure managing software dependencies needs secure hybrid connectivity and Kubernetes security controls to prevent lateral movement from compromised development tools and packages.
Sources
- 18 Popular Code Packages Hacked, Rigged to Steal Cryptohttps://krebsonsecurity.com/2025/09/18-popular-code-packages-hacked-rigged-to-steal-crypto/Verified
- Massive supply chain attack hits NPMhttps://cybernews.com/security/npm-supply-chain-attack/Verified
- NPM Supply Chain Attack Impacts Packages with 2 Billion Weekly Downloadshttps://cyberinsider.com/npm-supply-chain-attack-impacts-packages-with-2-billion-weekly-downloads/Verified
- Browser-Based Crypto-Stealer in NPM Supply Chain Attack - Report By SISA Sappershttps://www.sisainfosec.com/blogs/browser-based-crypto-stealer-in-npm-supply-chain-attack-report-by-sisa-sappers/Verified
Frequently Asked Questions
Cloud Native Security Fabric Mitigations and ControlsCNSF
Zero Trust segmentation, centralized policy, traffic visibility, and strict egress controls would have constrained the spread and detectability of the malicious packages and limited or detected anomalous exfiltration of sensitive data or unauthorized outbound activity. Distributed enforcement and runtime threat detection would provide earlier warning and containment for suspicious package behavior at the network and application layers.
Control: Multicloud Visibility & Control
Mitigation: Suspicious developer login attempts could be detected or flagged for rapid response.
Control: Threat Detection & Anomaly Response
Mitigation: Unusual privilege changes or lockouts would trigger real-time alerts.
Control: Zero Trust Segmentation
Mitigation: Downstream workload communication is limited to least privilege; infected package activity is contained.
Control: Cloud Firewall (ACF)
Mitigation: Outbound traffic to suspicious or unauthorized domains is blocked or logged.
Control: Egress Security & Policy Enforcement
Mitigation: Unapproved outbound connections and data exfiltration are detected or prevented.
Rapid detection and incident response curb the overall impact.
Impact at a Glance
Affected Business Functions
- Web Development
- Cryptocurrency Transactions
- Software Supply Chain
Estimated downtime: 2 days
Estimated loss: $50,000
Potential exposure of cryptocurrency wallet addresses and transaction details due to malicious code injection in widely-used npm packages.
Recommended Actions
Key Takeaways & Next Steps
- • Enforce Zero Trust segmentation to limit workload-to-workload communication and contain the spread of malicious packages.
- • Apply centralized multicloud visibility and baselining to rapidly detect suspicious developer activity, privilege escalations, and anomalous package behavior.
- • Mandate rigorous egress filtering and cloud firewall controls to block outbound traffic to untrusted or unauthorized destinations at both perimeter and workload levels.
- • Leverage real-time threat detection and anomaly response to identify unexpected privilege changes, code insertions, and credential misuse across the environment.
- • Continuously review software supply chain workflow, enforcing attestation and least privilege principles to reduce the risk of tampered package propagation.
