color npm package compromised

Thanks to my sponsors: Björn Marschollek, Sam Leonard, ShikChen, Marty Penner, anichno, callym, Mathias Brossard, ZacJW, David White, Christopher Valerio, Torben Clasen, Xirvik Servers, Radu Matei, David Barsky, Yves, Jimmy Hartzell, Matthias Zepper, Mattia Valzelli, Lyssieth, Pete Bevin and 277 more Björn Marschollek, Sam Leonard, ShikChen, Marty Penner, anichno, callym, Mathias Brossard, ZacJW, David White, Christopher Valerio, Torben Clasen, Xirvik Servers, Radu Matei, David Barsky, Yves, Jimmy Hartzell, Matthias Zepper, Mattia Valzelli, Lyssieth, Pete Bevin, C J Silverio, Egor Ternovoi, WeblWabl, Integer 32, LLC, xales, Matěj Volf, Luke Konopka, Boris Dolgov, Diego Roig, Gorazd Brumen, Raine Godmaire, Michał Bartoszkiewicz, Tomas Sedovic, Herman J. Radtke III, Justin Smith, Guillaume Demonet, Michael Alyn Miller, teor, Simon Menke, Senyo Simpson, Henrik Tudborg, Raphaël Thériault, SeniorMars, Bob Ippolito, Lucille Blumire, Jim, messense, Marcus Griep, Kai Kaufman, Tobias Bahls, Mason Ginter, Steven Pham, Romet Tagobert, Kyle Lacy, Romain Kelifa, AdrianEddy, Marco Carmosino, DaVince, Josiah Bull, Romain Ruetschi, Sung Jeon, Daniel Strittmatter, milan, Duane Sibilly, alethiophile, Menno Finlay-Smits, Dimitri Merejkowsky, Chris Sims, Lena Schönburg, Samit Basu, jatescher, Tiziano Santoro, Richard Pringle, Paul Marques Mota, Evan Relf, Twan Walpot, Marcus Griep, Kevin Anderson, Yufan Lou, Philipp Angerer, Astrid, Seth, Michał Zalewski, Tabitha, Toon Willems, Blake Johnson, Ryan, Valentin Mariette, Adam Lassek, Cole Tobin, Dave Minter, Urs Metz, Vincent Mutolo, Chris, Jon Gjengset, me, Jack Duvall, zed, Josh Triplett, Tyler Bloom, old.woman.josiah, Hadrien G., Malik Bougacha, Vladimir, Makoto Nakashima, Justin Ossevoort, Chris Emery, Olly Swanson, Garret Kelly, Andy F, Andy Gocke, Ben Wishovich, Marc-Andre Giroux, Jonathan Adams, Matthew T, Ives van Hoorne, Laine Taffin Altman, Chris Biscardi, Ripta Pasay, Yuriy Taraday, Guy Waldman, hgranthorner, Neil Blakey-Milner, Daniel Silverstone, Ronen Cohen, John Horowitz, Mario Fleischhacker, Wyatt Herkamp, Eugene Bulkin, Niels Abildgaard, Max Heaton, Mark Old, Sawyer Knoblich, Felix Weis, Antoine Boegli, belzael, Aiden Scandella, Stephan Buys, Andronik, Paul Horn, prairiewolf, Brian L. Troutwine, Òscar Pérez, Matt Jackson, Olivier Peyrusse, Ian McLinden, Jonas Platte, Geoff Cant, Xavier Groleau, Richard Stephens, Ula, Noel, Guillaume E, Geoffroy Couprie, Mark Tomlin, Victor Song, bbutkovic, Walther, clement, Sylvie Nightshade, Borys Minaiev, Elnath, compwhizii, James Brown, David Cornu, Mark, Joshua Roesslein, Dirkjan Ochtman, Philipp Gniewosz, Dylan Anthony, Aalekh Patel, you got maiL, Dom, Tom Forbes, Zalán Bálint Lévai, Daniel Wagner-Hall, notryanb, Ben Mitchell, Kevin Nguyen, Matt Jadczak, budrick, Scott Sanderson, Justy, Alan O'Donnell, Anna M, Carson Page, Brooke Tilley, dataphract, Johnathan Pagnutti, Nicholas Orta, Alex Krantz, Nicolas Riebesel, Marky Mark, Scott Steele, Manuel Hutter, Isak Sunde Singh, Zaki, Hamilton Chapman, Ivo Murrell, psentee, Aleksandre Khokhiashvili, L0r3m1p5um, James Leitch, Ahmad Alhashemi, Guilherme Neubaner, James Rhodes, Daniel Papp, Philipp Hatt, Max Bruckner, Morgan Rosenkranz, Enrico Zschemisch, Taneli Kaivola, Benjamin Röjder Delnavaz, Michal Hošna, Pete LeVasseur, pinkhatbeard, Lawrence Bethlenfalvy, Michael, Thehbadger, Timothée Gerber, Mike English, traxys, Marie Janssen, Aaron Gorodetzky, Sarah Berrettini, Paige Ruten, Braidon Whatley, Christian Bourjau, Colin VanDervoort, Kamran Khan, e9zaktw1, Adam Gutglick, avborhanian, Dominik Wagner, Cole Kurkowski, Julian Schmid, Jake Demarest-Mays, villem, Thor Kamphefner, Horváth-Lázár Péter, Alex Rudy, Elendol, Zachary Myers, Antoine PESTEL-ROPARS, genny, Jelle Besseling, Mikkel Rasmussen, Zac Harrold, Geoffrey Thomas, Yann Schwartz, Sean Bryant, Tanner Muro, Jörn Huxhorn, Matt Campbell, ofrighil, std__mpa, Peter Shih, Nicholas, 0lach, Alexandra Østermark, Olivia Crain, Angelo, Marcin Kołodziej, Arjen Laarhoven, Berkus Decker, Antoine Rouaze, Chris Walker, Beth Rennie, Reto Trappitsch, Jean-David Gadina, Matt Heise, Mateusz Wykurz, Zachary Thomas, Max von Forell, Beat Scherrer, Corey Alexander, Luke Yue, Gioele Pannetto, Andrew Henshaw, Christoph Grabo, qrpth, René Ribaud, playest, Wojciech Smołka, David E Disch, John VanEnk, Jan-Stefan Janetzky, Jesse Luehrs, Andrew Neth, Brandon Piña, Zoran Zaric, Sindre Johansen, Santiago Lema, Ronen Ulanovsky, Chris Thackrey, Nyefan, Ross Williams

On September 8 2025, around 13:00 UTC, someone compromised Josh Junon’s npm account (qix) and started publishing backdoored versions of his package.

Someone noticed and let Josh know:

Josh confirmed he’d gotten pwned by a fake 2FA (two-factor authentication) reset e-mail:

The phishing e-mail came from npmsj.help (registered 3 days prior) and claimed users had to reset their 2FA:

The raw email is available for the curious — it looks like it was sent via mailtrap (I’ve sent them an e-mail about it).

Over on Mastodon, Kevin Beaumont provided a list of affected packages:

And pointed out the scale of the attack: color alone has ~32 million weekly downloads:

The payload

The complete payload is available on pastebin.

According to initial analysis, it appears it’s not meant to be running in a server environment, or on developers’ machines (in other words, not in nodejs/bun/etc.), but in the browser.

Which would mean that for the attack to be successful:

• Someone maintaining a crypto website/web-powered app would have to upgrade to the backdoored dependencies
• Those dependencies would have to be used on the front-end
• The crypto website would have had to be built, packaged, deployed
• Users of the website would’ve had to make transactions with the drainer active

In other terms, I think that if all people did was accept a PR that bumped some dependencies, and some tests ran in CI, then nothing bad has happened, yet. But people are still figuring out exactly what the payload is supposed to do, and all the affected packages.

De-obfuscating the payload through https://obf-io.deobfuscate.io/ yields good results, see this gist.

I went a step further and did a loose port to TypeScript to understand more of what’s going on.

In short, fetch and XMLHTTPRequest are hooked so that any crypto addresses found in the response body that look like Bitcoin, Solana, Litecoin v2 etc. are modified to be one of the many addresses controlled by the attacker.

Note that only the response body is modified, not the request body. Presumably… this targets API calls that would request which address to send funds to, and do the transfer through some other means?

Additionally, every 500ms up to 50 times, window.ethereum.request is called to see if any Ethereum accounts have been authorized for use with Metamask. If so, window.ethereum is monkey-patched to alter various transactions to go attacker-controlled addresses.

In particular, it looks for:

• approve(address,uint256) (0x095ea7b3) — replacing the destination & maxing out the amount
  • this codepath also logs the DEX name if known: Uniswap, PancakeSwap, 1inch, SushiSwap
• permit(address,address,uint256,uint256,uint8,bytes32,bytes32) (0xd505accf) — replacing the destination & maxing out the value
• transfer(address,uint256) (0xa9059cbb) — replacing the destination but keeping the amount
• transferFrom(address,address,uint256) (0x23b872dd) — replacing the destination but keeping the amount

There’s a Solana codepath as well, which changes various fields to 19111111111111111111111111111111, but it’s unclear to me whether that would do anything successfully.

Current situation

Sep 8, 17:19 UTC

NPM has contacted Josh and told him they are working to the remove the packages.

See Josh’s timestamped comment

Sep 8, 17:11 UTC

• John is still locked out of his npm account
• chalk was patched by Sindre
• simple-swizzle is still compromised

The npm team seems rather unresponsive given the urgency of the situation:

It’s been almost two hours without a single email back from npm. I am sitting here struggling to figure out what to do to fix any of this. The packages that have Sindre as a co-publisher have been published over but even he isn’t able to yank the malicious versions AFAIU. If there’s any ideas on what I should be doing, I’m all ears.

HN comment

The best place to stay informed is probably Kevin’s thread on Mastodon.