Articles tagged #npm

color npm package compromised

On September 8 2025, around 13:00 UTC, someone compromised Josh Junon’s npm account (qix) and started publishing backdoored versions of his package.

Someone noticed and let Josh know:

Hey. Your npm account seems to have been compromised. 1 hour ago it started posting packages with backdoors to all your popular packages.
Charlie Eriksen on BlueSky

Josh confirmed he’d gotten pwned by a fake 2FA (two-factor authentication) reset e-mail:

Yep, I've been pwned. 2FA reset email, looked very legitimate.  Only NPM affected. I've sent an email off to @npmjs.bsky.social  to see if I can get access again.  Sorry everyone, I should have paid more attention. Not like me; have had a stressful week. Will work to get this cleaned up.
Josh Junon on BlueSky

The phishing e-mail came from npmsj.help (registered 3 days prior) and claimed users had to reset their 2FA:

Go back to the homepage.