color npm package compromised

Thanks to my sponsors: Guy Waldman, Urs Metz, Jon Gjengset, Nicholas Orta, David E Disch, Arjen Laarhoven, pinkhatbeard, Zachary Thomas, Ula, Aaron Gorodetzky, Marcus Griep, Olly Swanson, Geoffrey Thomas, Tabitha, Mark Old, Richard Stephens, Richard Pringle, Blake Johnson, Christoph Grabo, xales and 279 more Guy Waldman, Urs Metz, Jon Gjengset, Nicholas Orta, David E Disch, Arjen Laarhoven, pinkhatbeard, Zachary Thomas, Ula, Aaron Gorodetzky, Marcus Griep, Olly Swanson, Geoffrey Thomas, Tabitha, Mark Old, Richard Stephens, Richard Pringle, Blake Johnson, Christoph Grabo, xales, Mathias Brossard, Paul Horn, Philipp Hatt, Morgan Rosenkranz, anichno, Daniel Papp, Jelle Besseling, Borys Minaiev, Neil Blakey-Milner, traxys, Daniel Wagner-Hall, Gioele Pannetto, Zoran Zaric, Adam Lassek, jatescher, genny, teor, Hamilton Chapman, Daniel Silverstone, Matthias Zepper, Olivier Peyrusse, Zaki, Andy Gocke, Ives van Hoorne, Justin Ossevoort, std__mpa, Daniel Strittmatter, John VanEnk, Brooke Tilley, Christopher Valerio, Cole Kurkowski, Cole Tobin, Vladimir, Twan Walpot, Yann Schwartz, Luuk, Max Heaton, me, Samit Basu, René Ribaud, Walther, Guillaume Demonet, Ben Mitchell, Nicolas Riebesel, Xirvik Servers, Tyler Bloom, Joshua Roesslein, WeblWabl, Em Sharnoff, Dylan Anthony, L0r3m1p5um, Duane Sibilly, Braidon Whatley, Simon Menke, Peter Shih, hgranthorner, Lena Schönburg, Ripta Pasay, Ben Wishovich, Diego Roig, Michal Hošna, Chris Emery, Matt Heise, bbutkovic, Geoff Cant, Gorazd Brumen, Steven Pham, Marky Mark, Pete LeVasseur, James Brown, Wojciech Smołka, James Leitch, Scott Steele, Kevin Nguyen, Josh Triplett, Reto Trappitsch, Ross Williams, AdrianEddy, Antoine PESTEL-ROPARS, Brandon Piña, David Barsky, Jean-David Gadina, Elnath , James Rhodes, clement, Matěj Volf, Astrid, Mateusz Wykurz, notryanb, Timothée Gerber, Matt Campbell, Jim, Colin VanDervoort, Justin Smith, Laine Taffin Altman, Alex Krantz, Dimitri Merejkowsky, Guillaume E, Zac Harrold, old.woman.josiah, 0lach, Antoine Boegli, Manuel Hutter, Ivo Murrell, Sylvie Nightshade, Thehbadger, Sawyer Knoblich, Bob Ippolito, Björn Marschollek, Paul Marques Mota, Jack Duvall, John Horowitz, Yufan Lou, Luke Konopka, Chris Biscardi, Jonathan Adams, Raphaël Thériault, Dominik Wagner, Ryan, Enrico Zschemisch, Michał Bartoszkiewicz, budrick, Seth, Guilherme Neubaner, Beth Rennie, Taneli Kaivola, Romain Kelifa, qrpth , Felix Weis, Michael, Matthew T, Sean Bryant, Geoffroy Couprie, alethiophile, Lucille Blumire, callym, Senyo Simpson, Anna M, milan, Evan Relf, David Cornu, Yuriy Taraday, Antoine Rouaze, Kevin Anderson, Carson Page, Niels Abildgaard, Toon Willems, Hadrien G., Aleksandre Khokhiashvili, Jan-Stefan Janetzky, Andrew Henshaw, The0x539, Aiden Scandella, Sam Leonard, Garret Kelly, Marcin Kołodziej, Zalán Bálint Lévai, Kai Kaufman, Matt Jackson, Michael Alyn Miller, C J Silverio, Jimmy Hartzell, Dom, Sung Jeon, Mike English, Òscar Pérez, Chris Sims, Horváth-Lázár Péter, Pete Bevin, Jörn Huxhorn, Mark Tomlin, Sindre Johansen, Michał Zalewski, you got maiL, Jake Demarest-Mays, Ronen Ulanovsky, Romain Ruetschi, Andronik, Zachary Myers, Xavier Groleau, Johnathan Pagnutti, Dirkjan Ochtman, Nyefan, Matt Jadczak, Raine Godmaire, Josiah Bull, e9zaktw1, messense, Marco Carmosino, avborhanian, Thor Kamphefner, Isak Sunde Singh, Alan O'Donnell, Egor Ternovoi, Sarah Berrettini, Elendol, Noel, Chris Thackrey, playest, Makoto Nakashima, Andy F, zed, SeniorMars, Ronen Cohen, villem, Herman J. Radtke III, Stephan Buys, Mikkel Rasmussen, Christian Bourjau, Lawrence Bethlenfalvy, Radu Matei, compwhizii, Ahmad Alhashemi, Alex Rudy, Chris Walker, Corey Alexander, Kyle Lacy, Olivia Crain, dataphract, Integer 32, LLC, Menno Finlay-Smits, Tobias Bahls, David White, Romet Tagobert, Marie Janssen, Valentin Mariette, Marty Penner, Nicholas, Paige Ruten, Henrik Tudborg, Adam Gutglick, Mattia Valzelli, Mason Ginter, Scott Sanderson, Berkus Decker, Benjamin Röjder Delnavaz, Justy, Yves, Beat Scherrer, Chris, Luke Yue, Wyatt Herkamp, Brian L. Troutwine, Marc-Andre Giroux, Max von Forell, Aalekh Patel, Jesse Luehrs, Dave Minter, belzael, Eugene Bulkin, ZacJW, Angelo, Kamran Khan, Alexandra Østermark, ShikChen, Santiago Lema, Max Bruckner, Malik Bougacha, Jonas Platte, Philipp Angerer, Torben Clasen, Mark, psentee, ofrighil, Tiziano Santoro, Vincent Mutolo, Tanner Muro, Tomas Sedovic, DaVince, Tom Forbes, Boris Dolgov, Marcus Griep, Philipp Gniewosz, Ian McLinden, Victor Song, prairiewolf, Mario Fleischhacker, Lyssieth, Julian Schmid

On September 8 2025, around 13:00 UTC, someone compromised Josh Junon’s npm account (qix) and started publishing backdoored versions of his package.

Someone noticed and let Josh know:

Josh confirmed he’d gotten pwned by a fake 2FA (two-factor authentication) reset e-mail:

The phishing e-mail came from npmsj.help (registered 3 days prior) and claimed users had to reset their 2FA:

The raw email is available for the curious — it looks like it was sent via mailtrap (I’ve sent them an e-mail about it).

Over on Mastodon, Kevin Beaumont provided a list of affected packages:

And pointed out the scale of the attack: color alone has ~32 million weekly downloads:

The payload

The complete payload is available on pastebin.

According to initial analysis, it appears it’s not meant to be running in a server environment, or on developers’ machines (in other words, not in nodejs/bun/etc.), but in the browser.

Which would mean that for the attack to be successful:

• Someone maintaining a crypto website/web-powered app would have to upgrade to the backdoored dependencies
• Those dependencies would have to be used on the front-end
• The crypto website would have had to be built, packaged, deployed
• Users of the website would’ve had to make transactions with the drainer active

In other terms, I think that if all people did was accept a PR that bumped some dependencies, and some tests ran in CI, then nothing bad has happened, yet. But people are still figuring out exactly what the payload is supposed to do, and all the affected packages.

De-obfuscating the payload through https://obf-io.deobfuscate.io/ yields good results, see this gist.

I went a step further and did a loose port to TypeScript to understand more of what’s going on.

In short, fetch and XMLHTTPRequest are hooked so that any crypto addresses found in the response body that look like Bitcoin, Solana, Litecoin v2 etc. are modified to be one of the many addresses controlled by the attacker.

Note that only the response body is modified, not the request body. Presumably… this targets API calls that would request which address to send funds to, and do the transfer through some other means?

Additionally, every 500ms up to 50 times, window.ethereum.request is called to see if any Ethereum accounts have been authorized for use with Metamask. If so, window.ethereum is monkey-patched to alter various transactions to go attacker-controlled addresses.

In particular, it looks for:

• approve(address,uint256) (0x095ea7b3) — replacing the destination & maxing out the amount
  • this codepath also logs the DEX name if known: Uniswap, PancakeSwap, 1inch, SushiSwap
• permit(address,address,uint256,uint256,uint8,bytes32,bytes32) (0xd505accf) — replacing the destination & maxing out the value
• transfer(address,uint256) (0xa9059cbb) — replacing the destination but keeping the amount
• transferFrom(address,address,uint256) (0x23b872dd) — replacing the destination but keeping the amount

There’s a Solana codepath as well, which changes various fields to 19111111111111111111111111111111, but it’s unclear to me whether that would do anything successfully.

Current situation

Sep 8, 17:19 UTC

NPM has contacted Josh and told him they are working to the remove the packages.

See Josh’s timestamped comment

Sep 8, 17:11 UTC

• John is still locked out of his npm account
• chalk was patched by Sindre
• simple-swizzle is still compromised

The npm team seems rather unresponsive given the urgency of the situation:

It’s been almost two hours without a single email back from npm. I am sitting here struggling to figure out what to do to fix any of this. The packages that have Sindre as a co-publisher have been published over but even he isn’t able to yank the malicious versions AFAIU. If there’s any ideas on what I should be doing, I’m all ears.

HN comment

The best place to stay informed is probably Kevin’s thread on Mastodon.