Description
During the OWASP Chapter France meetup on 13 October 2025, I walked through the multi-stage supply chain attacks that struck npm in September. This talk breaks down how popular package maintainers were compromised, how the attacks evolved over several days, and what builders can do to harden their JavaScript pipelines.
The target: npmjs.com
- Central registry and default dependency provider for the JavaScript ecosystem
- Owned by GitHub since 2020, hosting more than 3 million public packages
- A platform created in 2010 with limited recent improvements to token management and 2FA enforcement, leaving room for abuse
Timeline of the attacks
8 September 2025 — First wave “Qix maintainer”
- Highly realistic phishing email posing as support (
npmjs.help) that urged a 2FA reset - Maintainer Josh Junon (aka Qix) entered credentials, handing full control to the attacker
- Attacker pushed booby-trapped releases of widely used packages (2–3 billion downloads per week)
- Payload: obfuscated wallet drainer malware hidden inside the packages
- Exposure window: roughly two hours before npm’s security team pulled the malicious versions
- Affected packages:
[email protected] • [email protected] • [email protected] • [email protected]
[email protected] • [email protected] • [email protected] • [email protected]
[email protected] • [email protected] • [email protected] • [email protected]
[email protected] • [email protected] • [email protected] • [email protected]
[email protected] • [email protected] • [email protected]
9 September 2025 — Second wave “duckdb_admin”
- Same phishing lure and payload reused the very next day
duckdb_adminaccount compromised, as confirmed by Socket’s incident report- Malicious releases pushed to the DuckDB ecosystem to maximize reach
16 September 2025 — Shai-Hulud worm
- Automated propagation leveraging stolen npm/GitHub tokens plus targeted phishing
- Aims: publish compromised releases, exfiltrate secrets, and establish persistence through GitHub Actions
- Demonstrated chained compromises of maintainers and repository poisoning
- Deep dive by Wiz: Shai-Hulud npm supply chain attack
GitHub response (9 October 2025)
- Strengthened 2FA: migration toward FIDO security keys and tighter TOTP flows
- Removal of all 2FA bypass paths for publishing packages
- Sunset of legacy automation tokens in favor of 90-day fine-grained tokens
- Expansion of Trusted Publishing via OIDC to sign releases automatically
- Public roadmap: Our plan for a more secure npm supply chain
How to protect your pipelines
- Lockfiles everywhere: commit
package-lock.json/pnpm-lock.yamlto pin dependencies - Smarter CLIs: prefer
pnpmor other tooling capable of blocking post-install scripts - Dedicated monitoring: integrate services like Socket.dev, JFrog Xray, or Snyk for anomaly detection
- OIDC by default: move publishing and CI/CD authentication to OIDC-based workflows
- Secret hygiene: keep token lifetimes short, review permissions often, and log every credential use