OSSpocalypse? What To Know About The Hacks Of Leading Open Source Packages

A campaign against leading maintainers has seen malware implanted in open source packages with more than 2 billion monthly downloads. The target? Crypto wallets.

Paul Roberts, Director of Content and Editorial at RL

Security experts are warning of widespread phishing attacks that have compromised the accounts of prominent open source developers. The campaign has placed malicious code designed to steal cryptocurrency into widely used open source packages that account for billions of downloads each month.

As of this writing, scores of leading developers on open source platforms including GitHub and Node Package Manager (npm) appear to have been compromised in a coordinated campaign of phishing attacks. The full extent of the campaign is unclear, but a large number of widely used open source packages appear to have been affected in attacks bearing a close resemblance to the compromise of the maintainer of popular npm packages in July.

Compromised packages with billions of downloads

The incident first came to light after Josh Junon, a highly respected developer with the handle ~qix acknowledged on Monday that his npm account was hacked via a phishing attack involving a fake two factor authentication email that “looked shockingly authentic.” Shortly thereafter, security researchers notified Junon that his account was linked to malicious code updates to packages he helped maintain.

Junon is a contributor to some of the most widely used open source packages on npm totalling more than 11 billion monthly downloads. Based on analysis by ReversingLabs and others, many of the most widely used packages that he maintained were compromised in the attack. Among them are six packages with between 1 billion and 1.6 billion monthly downloads: ansi-styles; debug; chalk; supports-color; strip-ansi and ansi-regex.

At the time of writing, ReversingLabs has confirmed 18 distinct npm packages compromised following the takeover of the ~qix maintainer account. They are:

npm Package Name	Version
ansi-regex	6.2.1
ansi-styles	6.2.2
backslash	0.2.1
chalk	5.6.1
chalk-template	1.1.1
color-convert	3.1.1
color-name	2.0.1
color-string	2.1.1
debug	4.4.2
error-ex	1.3.3
has-ansi	6.0.1
is-arrayish	0.3.3
simple-swizzle	0.2.3
slice-ansi	7.1.1
strip-ansi	7.1.1
supports-color	10.2.1
supports-hyperlinks	4.1.1
wrap-ansi	9.0.1

Analysis of the affected packages revealed suspicious behaviors including the presence of obfuscated code and the presence of files with behaviors associated with malicious software.

A deeper analysis revealed the affected packages were modified to include a heavily obfuscated malicious javascript that is designed to steal funds from Bitcoin, Ethereum, Solana and other cryptocurrency wallets, according to an analysis by ReversingLabs.

Specifically, the code is designed to monitor web requests for crypto wallet-related interactions and replace legitimate recipient wallet addresses with a predefined set of malicious (aka “drainer”) crypto wallet addresses that are hard-coded into the malicious code. The malicious addresses identified in the code are listed here.

Phishing for (open source) gold

In a post on the Bluesky social media network on September 8th, Junon said that his account was hacked after receiving an email from the address support (at) npmjs.help asking “all users to update their Two Factor Authentication (2FA) credentials” and claiming that “our records indicate that it has been over 12 months since your last 2FA update.”

Josh Junon BlueSky post September 8 2025

The message included a hyperlink to reset the credentials. An analysis by the security firm Aikido found that the npmjs.help phishing domain was registered on September 5th. Writing on Monday, Junon said that he had contacted npm regarding the compromise but had been locked out of his maintainer account by the attack.

As security researchers scrambled to assess the damage from the attacks, evidence that other developer accounts had also been compromised began to emerge. Researchers at Aikido wrote that they detected another package, proto-tinker-wc, containing the same malicious code. Further analysis revealed that a maintainer of that account, ~eswat2, may also have been compromised.

ReversingLabs found hundreds of packages on GitHub associated with scores of developers that contain the malicious code associated with the attackers who targeted ~qix. Those include commonly used code such as the Orange Design Charts (ods-charts) library, created by Orange Open Source. In all, more than 550 files on GitHub were found to contain a hash associated with the malicious code associated with the latest campaign.

While the full extent of the hacks and affected packages have yet to be determined, security experts say that the vast reach of the affected packages will touch most developers. “There's no one that's building code with npm packages that isn't possibly affected by this,” said Tomislav Peričin, the co-founder and Chief Software Architect at ReversingLabs in response to the compromise of the ~qix maintainer account.

An early warning: eslint-config-prettier?

Though unmatched in scope, the attacks on Monday follow the broad outlines of an attack ReversingLabs detected in July, in which a phishing attack on an npm developer resulted in the compromise of eslint-config-prettier: an npm package with over 3.5 billion downloads and 12,000 dependent packages.

In that case, malicious actors gained access to the maintainer’s account via a sophisticated phishing scheme that spoofed an npm support email and phishing website, npmjs (dot) org, that mimicked the actual npmjs.com website. The attack resulted in the theft of the maintainer’s credentials, which was followed by the publication of malicious versions of eslint-config-prettier, synckit, @pkgr/core and napi-postinstall.

Those compromised packages contained a post-install script that installed a PE DLL embedding the Scavenger remote access trojan (RAT), enabling infection of Windows development environments. Following detection by researchers at Socket and RL, npm was notified and the malicious versions were pulled within about two hours. Still, the widespread use of the affected packages and the widespread practice of automatically applying package updates made the actual impact of the compromise unclear.

Recommendations

Developers can assess the security grade of packages via the secure.software portal. Compromised packages should be deleted from the affected project and dependencies.

Cryptocurrency users concerned they may be vulnerable to attacks via compromised crypto applications and websites are advised to disconnect their crypto wallets from any affected websites immediately, revoke approvals for any tokens on that wallet and transfer funds to a new, secure wallet.

ReversingLabs is continuing to monitor the situation and will update this post as new information becomes available.

Keep learning

Read the 2025 Gartner® Market Guide to Software Supply Chain Security. Plus: See RL's webinar for expert insights.
Get the white paper: Go Beyond the SBOM. Plus: See the webinar: Welcome CycloneDX xBOM.
Go big-picture on the software risk landscape with RL's 2025 Software Supply Chain Security Report. Plus: See our webinar for discussion about the findings.
Get up to speed on securing AI/ML with our white paper: AI Is the Supply Chain. Plus: See RL's research on nullifAI and replay our Webinar to learn how RL discovered the novel threat.
Learn how commercial software risk is under-addressed: Download the white paper — and see our related webinar for more insights.

Explore RL's Spectra suite: Spectra Assure for software supply chain security, Spectra Detect for scalable file analysis, Spectra Analyze for malware analysis and threat hunting, and Spectra Intelligence for reputation data and intelligence.

Tags:AppSec & Supply Chain Security