color npm package compromised

Thanks to my sponsors: Corey Alexander, Alex Krantz, Egor Ternovoi, Ross Williams, Victor Song, Anson VanDoren, Ryan, Nicolas Riebesel, Henrik Tudborg, avborhanian, Daniel Silverstone, Eugene Bulkin, Elnath, Andy F, Romain Kelifa, Jack Duvall, Blake Johnson, Raine Godmaire, Boris Dolgov, compwhizii and 253 more Corey Alexander, Alex Krantz, Egor Ternovoi, Ross Williams, Victor Song, Anson VanDoren, Ryan, Nicolas Riebesel, Henrik Tudborg, avborhanian, Daniel Silverstone, Eugene Bulkin, Elnath, Andy F, Romain Kelifa, Jack Duvall, Blake Johnson, Raine Godmaire, Boris Dolgov, compwhizii, me, Chris Walker, Lucille Blumire, Philipp Hatt, rektide, Nicolas Coulange, Sam Leonard, Bob Ippolito, Geoffrey Thomas, Lyssieth, Senyo Simpson, xales, Aiden Scandella, Jelle Besseling, Marcus Griep, Michał Zalewski, Marcin Kołodziej, Thehbadger, callym, Hadrien G., Marcus Griep, Urs Metz, Diego Roig, Xirvik Servers, Richard Stephens, Max Heaton, Neil Blakey-Milner, Sawyer Knoblich, pinkhatbeard, Kevin Murphy, Jean-David Gadina, Kai Kaufman, Braidon Whatley, Zoran Zaric, Matthias Zepper, Anna M, Richard Pringle, Mathew Haji, Manuel Hutter, Vinay Mehta, Borys Minaiev, René Ribaud, anichno, Justin Ossevoort, Toon Willems, Taneli Kaivola, Mark Old, AdrianEddy, Antoine Rouaze, Morgan Rosenkranz, Ives van Hoorne, you got maiL, std__mpa, Raphaël Thériault, Andrew Henshaw, Daniel Strittmatter, Peter Shih, Paul Marques Mota, Integer 32, LLC, genny, Guillaume E, Jesse Luehrs, Zaki, Samit Basu, Paige Ruten, Pete Bevin, Luke Konopka, Gioele Pannetto, Hamilton Chapman, Adam Gutglick, Julien Roncaglia, playest, Valentin Mariette, Miguel Raz Guzmán Macedo, Jan-Stefan Janetzky, Tyler Bloom, Ripta Pasay, Chris Sims, Chris Thackrey, Luke Yue, Mario Fleischhacker, Elendol, Olivia Crain, Tomas Sedovic, Josh Triplett, Luuk, Geoffroy Couprie, Nyefan, ZacJW, Marco Carmosino, Tobias Bahls, Marty Penner, Jim, Max Bruckner, Laine Taffin Altman, frankwang, FELIX, James Leitch, Alan O'Donnell, Dimitri Merejkowsky, Brian L. Troutwine, Philipp Angerer, Olivier Peyrusse, ShikChen, Julian Schmid, Angelo, traxys, Guilherme Neubaner, Beat Scherrer, Michał Bartoszkiewicz, Luis, Dom, Yuriy Taraday, Reto Trappitsch, Carson Page, Tanner Muro, Gorazd Brumen, John VanEnk, Jörn Huxhorn, Torben Clasen, Dave Minter, Marie Janssen, Walther, Scott Sanderson, Em Sharnoff, Mathias Brossard, Zachary Myers, Matt Heise, Menno Finlay-Smits, Romet Tagobert, David Barsky, Enrico Zschemisch, Daniel Wagner-Hall, Twan Walpot, Ian McLinden, jalciné, Lawrence Bethlenfalvy, Mark, Alexandra Østermark, Kyle Lacy, hgranthorner, David White, Andy Gocke, Matt Jadczak, Mateusz Wykurz, Makoto Nakashima, L0r3m1p5um, Geoff Cant, Adam Lassek, Pete LeVasseur, Antoine Boegli, Mike English, Simon Menke, milan, qrpth, Aleksandre Khokhiashvili, Mattia Valzelli, Sean Bryant, Dylan Anthony, David Cornu, ofrighil, Olly Swanson, Stephan Buys, Guy Waldman, knutwalker, clement, Christian Bourjau, kuerbsikakteen, SeniorMars, psentee, Joshua Roesslein, Tom Forbes, C J Silverio, Zeeger Lubsen, Niels Abildgaard, Michael, Steven Pham, Jonathan Adams, Christoph Grabo, Horváth-Lázár Péter, James Brown, jatescher, Johnathan Pagnutti, Antoine PESTEL-ROPARS, Lena Schönburg, Zalán Bálint Lévai, Malik Bougacha, Mark Tomlin, Ben Wishovich, Marc-Andre Giroux, budrick, Vincent Mutolo, Matt Campbell, Justy, Xavier Groleau, Jake Demarest-Mays, Chris, old.woman.josiah, dataphract, Chris Emery, Isak Sunde Singh, villem, Zachary Thomas, Brooke Tilley, Alex Rudy, Matt Jackson, Dragoon, Sung Jeon, Colin VanDervoort, Vladimir, Matej Volf, David Smith, Arjen Laarhoven, The0x539, Dominik Wagner, Justin Smith, Tabitha, belzael, Romain Ruetschi, Brandon Piña, Dirkjan Ochtman, Ronen Ulanovsky, Wyatt Herkamp, Tiziano Santoro, Jeff Crocker, Ronen Cohen, zed, Yufan Lou, Radu Matei, Benjamin Röjder Delnavaz, Zac Harrold, Cole Kurkowski, Timothée Gerber, Lach, Ben Mitchell, Mason Ginter, Berkus Decker, James Rhodes, WeblWabl, Yann Schwartz, Björn Marschollek, Michal Hošna, Mikkel Rasmussen, Max von Forell, Kamran Khan, prairiewolf, Jimmy Hartzell, Astrid, notryanb, Christopher Valerio, Santiago Lema, Yves, eliferrous

On September 8 2025, around 13:00 UTC, someone compromised Josh Junon’s npm account (qix) and started publishing backdoored versions of his package.

Someone noticed and let Josh know:

Josh confirmed he’d gotten pwned by a fake 2FA (two-factor authentication) reset e-mail:

The phishing e-mail came from npmsj.help (registered 3 days prior) and claimed users had to reset their 2FA:

The raw email is available for the curious — it looks like it was sent via mailtrap (I’ve sent them an e-mail about it).

Over on Mastodon, Kevin Beaumont provided a list of affected packages:

And pointed out the scale of the attack: color alone has ~32 million weekly downloads:

The payload

The complete payload is available on pastebin.

According to initial analysis, it appears it’s not meant to be running in a server environment, or on developers’ machines (in other words, not in nodejs/bun/etc.), but in the browser.

Which would mean that for the attack to be successful:

• Someone maintaining a crypto website/web-powered app would have to upgrade to the backdoored dependencies
• Those dependencies would have to be used on the front-end
• The crypto website would have had to be built, packaged, deployed
• Users of the website would’ve had to make transactions with the drainer active

In other terms, I think that if all people did was accept a PR that bumped some dependencies, and some tests ran in CI, then nothing bad has happened, yet. But people are still figuring out exactly what the payload is supposed to do, and all the affected packages.

De-obfuscating the payload through https://obf-io.deobfuscate.io/ yields good results, see this gist.

I went a step further and did a loose port to TypeScript to understand more of what’s going on.

In short, fetch and XMLHTTPRequest are hooked so that any crypto addresses found in the response body that look like Bitcoin, Solana, Litecoin v2 etc. are modified to be one of the many addresses controlled by the attacker.

Note that only the response body is modified, not the request body. Presumably… this targets API calls that would request which address to send funds to, and do the transfer through some other means?

Additionally, every 500ms up to 50 times, window.ethereum.request is called to see if any Ethereum accounts have been authorized for use with Metamask. If so, window.ethereum is monkey-patched to alter various transactions to go attacker-controlled addresses.

In particular, it looks for:

• approve(address,uint256) (0x095ea7b3) — replacing the destination & maxing out the amount
  • this codepath also logs the DEX name if known: Uniswap, PancakeSwap, 1inch, SushiSwap
• permit(address,address,uint256,uint256,uint8,bytes32,bytes32) (0xd505accf) — replacing the destination & maxing out the value
• transfer(address,uint256) (0xa9059cbb) — replacing the destination but keeping the amount
• transferFrom(address,address,uint256) (0x23b872dd) — replacing the destination but keeping the amount

There’s a Solana codepath as well, which changes various fields to 19111111111111111111111111111111, but it’s unclear to me whether that would do anything successfully.

Current situation

Sep 8, 17:19 UTC

NPM has contacted Josh and told him they are working to the remove the packages.

See Josh’s timestamped comment

Sep 8, 17:11 UTC

• John is still locked out of his npm account
• chalk was patched by Sindre
• simple-swizzle is still compromised

The npm team seems rather unresponsive given the urgency of the situation:

It’s been almost two hours without a single email back from npm. I am sitting here struggling to figure out what to do to fix any of this. The packages that have Sindre as a co-publisher have been published over but even he isn’t able to yank the malicious versions AFAIU. If there’s any ideas on what I should be doing, I’m all ears.

HN comment

The best place to stay informed is probably Kevin’s thread on Mastodon.