Massive NPM Supply Chain Attack: npm debug and chalk packages compromised

On September 8, 2025, attackers compromised a high-profile maintainer via a phishing email sent from an address at the look-alike domain support@npmjs.help, then published malwared versions of popular dependencies relied on by the entire JavaScript ecosystem. Coverage confirms the phishing domain and the maintainer’s acknowledgment.

The phishing email

The maintainer shared that he was compromised by the use of phishing, using this email coming from support [at] npmjs [dot] help :

The result: malicious releases across packages that collectively see ~2.6–2.7B weekly downloads — an unusually broad blast radius.

Compromised npm Packages (sorted by downloads)

• 📦 ansi-styles — ⚠️ 6.2.2 — 🔗 npm — 📉 371.41M/week
• 📦 debug — ⚠️ 4.4.2 — 🔗 npm — 📉 357.60M/week
• 📦 chalk — ⚠️ 5.6.1 — 🔗 npm — 📉 299.99M/week
• 📦 supports-color — ⚠️ 10.2.1 — 🔗 npm — 📉 287.10M/week
• 📦 strip-ansi — ⚠️ 7.1.1 — 🔗 npm — 📉 261.17M/week