Tech News
← Back to articles

This 2FA phishing scam pwned a developer - and endangered billions of npm downloads

2025-10-31 | original
read original related products more articles

Elyse Betters Picaro / ZDNET

Follow ZDNET: Add us as a preferred source on Google.

ZDNET's key takeaways

A phishing email was at the heart of the attack.

NPM team quickly removed backdoored versions.

18 packages hit, with 2B+ downloads every week.

A new digital supply chain attack has targeted popular open-source npm packages with at least two billion downloads per week.

'I've been pwned'

On Sept. 8, Josh Junon, a package maintainer whose account was at the center of the attack, revealed that a sophisticated phishing attack was to blame, impacting npm packages linked to his account.

Also known as qix, Junon said, "I've been pwned. 2FA reset email, looked very legitimate."

... continue reading

Related:
5 must-have cloud tools for small businesses in 2025 (and my top 10 money-saving secrets)
Ransomware Strikes Back as Global Attacks Rise in 2025
Your AI Agent Is Now a Target for Email Phishing
Darcula PhaaS can now auto-generate phishing kits for any brand
Mark Zuckerberg’s charity U-turns, ends DEI efforts

© 2025 GoKawiil