Massive Supply Chain Attack Targets Cryptocurrencies Through NPM

A phishing attack aimed at a particular software maintainer’s account has managed to compromise software packages that have over 2.6 billion weekly downloads. BleepingComputer, noting that the infection is being called the “largest supply chain attack in history.” The developer behind the software packages, identified as Josh Junon, was compromised via a phishing scheme targeting several blockchains, including Ethereum, Bitcoin, Solana, and Tron, The Register reports. Junon has been posting about the compromise on his Bluesky account. “Yep, I’ve been pwned. 2FA reset email, looked very legitimate,” Junon wrote on his account. “Only NPM affected.” “Sorry everyone, I should have paid more attention,” he added. “Not like me; have had a stressful week. Will work to get this cleaned up.” The compromise was originally noted by Charlie Eriksen, a researcher for security firm Aikido. The phishing email was sent and styled to look like it had come from the NPM organization itself. “To maintain the security and integrity of your account, we kindly ask that you complete this update at your earliest convenience,” it read. “Please note that accounts with outdated 2FA credentials will be temporarily locked starting September 10, 2025, to prevent unauthorized access.” NPM is a versatile open-source package manager that can be deployed to a variety of different ends. NPM’s website says it is relied upon by some 17 million different software projects. In this case, 18 different widely used software packages maintained by Junon were hijacked and implanted with malicious code, Eriksen notes. Open source software is a pivotal infrastructural component of the modern internet, but its unique security dilemmas can, on occasion, lead to digital disasters. Indeed, the corruption of a single project can lead to a kind of web contagion that impacts droves of apps and programs. NPM has gone through this sort of thing before. A similar (albeit not as widespread) case took place back in 2022 when the creator behind two very popular coding libraries randomly corrupted them, leading to the “bricking” of countless software programs. In that particular instance, some 20,000 software projects were said to be reliant on that one creator. The silver lining is that, while the most recent infection is reported to be historically widespread, it sounds like it was quashed before any real damage could be done. BleepingComputer notes that the NPM team has been deleting the malicious versions of the software packages in an effort to cut down on the spread of the malware. Gizmodo reached out to NPM and Aikido for more information and will update this story when we receive a response.