The Reveal Platform
Intel Name: Detecting the npm supply chain compromise before it spread
Date of Scan: November 6, 2025
Impact: High
Summary: On September 8, 2025, a threat actor hijacked the NPM account of developer “qix” (Josh Junon) through a phishing email impersonating NPM Support. After stealing credentials via a fake NPM login page, the attacker injected a JavaScript clipper into 20 popular NPM packages, redirecting cryptocurrency transactions to attacker-controlled wallets. The incident affected packages with nearly 2.8 billion weekly downloads, marking a major supply chain compromise. Several other developers were also targeted, indicating a coordinated campaign, though remediation efforts quickly restored package integrity and account security.
