Software packages with more than 2 billion weekly downloads hit in supply-chain attack

Posted on 2025-09-08 by pappp

Source: Ars Technica

Article note: A whole pile of one-liner packages used all over the place, compromised by a basic phish. I reiterate: I sincerely believed for some time that node/npm was a joke about bad design. Despite knowing that people take it seriously, I'm not entirely sure I was wrong.

Hackers planted malicious code in open source software packages with more than 2 billion weekly updates in what is likely to be the world’s biggest supply-chain attack ever.

The attack, which compromised nearly two dozen packages hosted on the npm repository, came to public notice on Monday in social media posts. Around the same time, Josh Junon, a maintainer or co-maintainer of the affected packages, said he had been “pwned” after falling for an email that claimed his account on the platform would be closed unless he logged into a site and updated his two-factor authentication credentials.

Defeating 2FA the easy way

“Sorry everyone, I should have paid more attention,” Junon, who uses the moniker Qix, wrote. “Not like me; have had a stressful week. Will work to get this cleaned up.”

Read full article

Comments

This entry was posted in News. Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *