Reports have emerged of a major supply chain attack impacting numerous NPM packages maintained by the developer known as “qix.” Early analysis indicates that the attacker compromised the maintainer’s account, likely through a widespread phishing campaign targeting open-source developers. The malicious packages were uploaded to NPM within the last several hours, and users have already begun reporting suspicious payloads.

This marks yet another high-profile supply chain incident within the NPM ecosystem, just one week after the s1ngularity compromise of Nx.

What happened: the technical breakdown

Numerous NPM packages were compromised after their maintainer was hacked. The affected packages, including those reported by the maintainer, include:

  • ansi-styles@6.2.2
  • debug@4.4.2
  • chalk@5.6.1
  • supports-color@10.2.1
  • strip-ansi@7.1.1
  • ansi-regex@6.2.1
  • wrap-ansi@9.0.1
  • color-convert@3.1.1
  • color-name@2.0.1
  • is-arrayish@0.3.3
  • slice-ansi@7.1.1
  • color@5.0.1
  • color-string@2.1.1
  • simple-swizzle@0.2.3
  • supports-hyperlinks@4.1.1
  • has-ansi@6.0.1
  • chalk-template@1.1.1
  • backslash@0.2.1
  • proto-tinker-wc@0.1.87
  • @duckdb/node-api@1.3.3
  • @duckdb/duckdb-wasm@1.29.2
  • @duckdb/node-bindings@1.3.3
  • duckdb@1.3.3
  • @coveops/abi@2.0.1
  • error-ex@1.3.3

Key details

  • Reports surfaced within hours after users noticed suspicious payloads embedded in the new versions.
  • Initial investigation links the compromise to the maintainer’s account being hijacked. Community members on GitHub reported a phishing campaign targeting developers around the same time.
  • The malicious payload appears designed to harvest sensitive data, including browser-stored credentials, machine secrets, and crypto-wallet transaction information.
  • As of this writing, the maintainer remains locked out of their account and is working to revert the malicious versions.
User reports on GitHub of malicious payloads

How to defend against attacks like this

Immediate actions for engineering and AppSec

  1. Freeze builds and roll back: Pause releases that depend on Node package installs until your SBOM and lockfile checks pass. If you shipped in the last 12 hours, prepare a hotfix plan. 
  2. Inventory exposure: Run a focused dependency check for these names across repos, lockfiles, and containers.
  3. Pin and quarantine: Pin to last known good versions or temporarily vendor if needed. Rebuild artifacts from clean caches. Clear any private registry caches that may have stored malicious tarballs.
  4. Rotate secrets: Rotate npm automation tokens, GitHub tokens, and any CI secrets used during builds that pulled these dependencies. Prior incidents demonstrate attacker interest in developer tokens.  
  5. Blocking: Block npmjs.help and the observed exfil URL, search proxy logs for hits. 
  6. Monitoring: Monitor front end telemetry for wallet manipulation symptoms if you shipped builds using the affected packages today.

Closing thoughts

It has been just over one week since the last large supply chain attack in NPM, s1ngularity1. Considering the cause of this specific incident and the large campaigns targeting those maintainers – we are expected to see more of these attacks in the near future.

How Orca Can Help?

At Orca, we recognize that incidents like the qix compromise highlight the fragility of today’s software supply chains. The Orca Cloud Security Platform helps organizations respond by:

  • Providing full visibility into installed packages within code repositories through its SBOM capabilities, along with advanced reporting features. 
  • Automatically scanning git repositories and other code artifacts for vulnerabilities, misconfigurations, and exposed secrets. 
  • Setting guardrails for developers to catch issues before deployment to production environments. 
  • Tracing production risks to their code origins and remediate risks at their source, from cloud to development environments. 

By integrating application security across the full software lifecycle, Orca helps organizations eliminate blind spots, reduce risk, and accelerate secure development in the cloud.

Command your cloud with Orca

The Orca Cloud Security Platform is an open platform that identifies, prioritizes, and remediates security risks and compliance gaps across AWS, Azure, Google Cloud, Oracle Cloud, Alibaba Cloud, and Kubernetes. The Orca Platform leverages our patented SideScanning™ technology to provide complete coverage and comprehensive risk detection. 

Learn more 

To see how the Orca Platform can work for your organization, schedule a personalized 1:1 demo.