A cryptostealer malware was pushed to a number of npm packages including debug (47 million downloads a week), chalk (299 million downloads a week), and a number of utility packages (e.g. color-name, color-string, color-convert, strip-ansi...). It is believed that this supply chain attack was a direct result of the compromise of a single contributor via a phishing email. The full list of affected packages and versions can be found below. Many of these versions have already been removed from npm, and had no downloads prior to their removal.
In total these packages had a combined 2.6 billion downloads every week, if the community did not react as quickly as it did it this incident could have had far reaching consequences. It is a reminder of the impact supply chain attacks could have, from a single account being compromised via a phishing link to potentially millions of projects.
As of 2025-09-08T16:50:01+0000 all Semgrep supply chain customers have this rule available to them.
debug@4.4.2
color-name@2.0.1
strip-ansi@7.1.1
color@5.0.1
color-convert@3.1.1
color-string@2.1.1
has-ansi@6.0.1
ansi-styles@6.2.2
ansi-regex@6.2.1
supports-color@10.2.1
chalk@5.6.1
backslash@0.2.1
wrap-ansi@9.0.1
is-arrayish@0.3.3
error-ex@1.3.3
slice-ansi@7.1.1
simple-swizzle@0.2.3
chalk-template@1.1.1
supports-hyperlinks@4.1.1
For non-customers we've open-sourced an MIT licensed Semgrep rule that you can use to discover if you were running a vulnerable package https://semgrep.dev/c/r/kxUgZJg/semgrep.ssc-mal-deps-mit-2025-09-chalk-debug-color. Semgrep users can run in one step with semgrep --config r/kxUgZJg/semgrep.ssc-mal-deps-mit-2025-09-chalk-debug-color, or you can run locally by fetching the rule and then running semgrep --config=rule.yaml
The attack was first noted on the debug-js/debug Github repository where user informatic noticed that a version pushed to npm was not present in the repository. In each of the affected versions a new line of obfuscated Javascript code was added to the package's index.js, and a sample of it can be found below, for those looking for IoCs.
const 0x112fa8=0x180f;(function(_0x13c8b9,_0x35f660){...
This is a standard cryptostealer type malware which targets bitcoin, solana and ethereum and other crypto currencies, re-routing legitimate transactions to the attackers address, by re-writing HTTP responses. Of note is the decision of attackers to use a range of wallet addresses, choosing which to use based on how similar their wallet address is to the original, making it more difficult to tell at first glance that the address had been changed.
The attack was quickly picked up thanks to the open source and security communities. As these versions were only available for a short period of time and (based on data from npm) did not have any downloads, the impact of this malware is likely minimal, however it does show that even a small compromise of an individual account can cause a larger impact. This attack, once again, specifically targets Web 3.0 and cryptocurrency developers, and all developers working in this space should consider additional precautions such as npm ci in build pipelines as suggested by jdstaerk.
