On September 8, 2025, the JavaScript ecosystem experienced what is now considered the largest supply chain attack in npm history. A sophisticated phishing campaign led to the compromise of a trusted maintainer’s account, resulting in the injection of cryptocurrency-stealing malware into 18+ foundational npm packages. These packages collectively accounted for over 2 billion weekly downloads, affecting millions of applications globally—from personal projects to enterprise-grade systems. Following the discovery of the breach, the npm team began removing several of the malicious package versions published by the attackers, including the compromised debug package, which alone sees over 357 million downloads each week. Initial Compromise: A Phishing Attack with […]
The post The Great NPM Heist – September 2025 appeared first on Check Point Blog.
Read the original article: