The JavaScript ecosystem recently faced one of its most severe security incidents when a supply chain attack compromised the NPM account of maintainer qix, resulting in malicious code being injected into several widely-used packages. With over one billion weekly downloads combined, these compromised packages posed an unprecedented threat to the entire JavaScript community.

In response to this critical incident, we have quickly developed a specialized NPM vulnerability scanner to help developers and organizations quickly identify and assess their exposure to these compromised packages.

The Scale of the Attack

The compromise of the qix NPM account led to the publication of malicious versions across multiple popular packages that form the backbone of countless JavaScript applications. The sheer scale of this attack is staggering:

Most Affected Packages by Weekly Downloads

• ansi-styles: 371M downloads

• debug: 357M downloads

• chalk: 300M downloads

• supports-color: 287M downloads

• strip-ansi: 261M downloads

• ansi-regex: 243M downloads

• wrap-ansi: 198M downloads

• color-convert: 193M downloads

• color-name: 191M downloads

These packages are deeply integrated into thousands of CLI tools, frameworks, and backend services, making this one of the most far-reaching supply chain attacks affecting the JavaScript ecosystem.

Attack Vector and Payload

The malicious payload functioned as a crypto-stealer, designed to:

• Monitor network requests for cryptocurrency wallet addresses

• Replace legitimate wallet addresses with attacker-controlled addresses

• Hijack cryptocurrency transactions to steal funds

• Operate silently within legitimate package functionality

This type of attack is particularly insidious because the malicious code is embedded within packages that developers trust and use daily, making detection challenging without specialized tools.

Complete List of Compromised Packages

Our analysis identified the following compromised package versions:

backslash@0.2.1
chalk@5.6.1
chalk-template@1.1.1
color-convert@3.1.1
color-name@2.0.1
color-string@2.1.1
wrap-ansi@9.0.1
supports-hyperlinks@4.1.1
strip-ansi@7.1.1
slice-ansi@7.1.1
simple-swizzle@0.2.3
is-arrayish@0.3.3
error-ex@1.3.3
has-ansi@6.0.1
ansi-regex@6.2.1
ansi-styles@6.2.2
supports-color@10.2.1
proto-tinker-wc@1.8.7
debug@4.4.2

Introducing the NPM Vulnerability Scanner

To address the urgent need for vulnerability assessment, we have quickly developed a specialized Node.js-based scanner that can:

• Recursively scans all subdirectories for NPM projects.

• Identifies known compromised package versions from the incident.

• Outputs a clear report of affected packages and their paths.

• Fast and lightweight, no external dependencies beyond Node.js standard modules.

Example output

Here's what a typical scan result looks like:

Download the scanner from here and run it with the following command (Node.js is required):

$ node scan.js ./my-projects
Starting vulnerability scan in: ~/tmp/npm-scan/my-projects
Looking for vulnerable packages: backslash@0.2.1, chalk-template@1.1.1, color-convert@3.1.1, color-name@2.0.1, color-string@2.1.1, wrap-ansi@9.0.1, supports-hyperlinks@4.1.1, strip-ansi@7.1.1, slice-ansi@7.1.1, simple-swizzle@0.2.3, is-arrayish@0.3.3, error-ex@1.3.3, has-ansi@6.0.1, ansi-regex@6.2.1, ansi-styles@6.2.2, supports-color@10.2.1, proto-tinker-wc@1.8.7, chalk@5.6.1, debug@4.4.2

Found npm project: ~/tmp/npm-scan/my-projects
Found 1 npm projects

Scanning: ~/tmp/npm-scan/my-projects

============================================================
VULNERABILITY SCAN RESULTS
============================================================

Scanned Projects: 1
Vulnerable Projects: 1
Errors: 0

----------------------------------------
VULNERABLE PROJECTS:
----------------------------------------

1. my-projects (~/tmp/npm-scan/my-projects)
   ⚠️  chalk@5.6.1 (direct dependency)
   ⚠️  debug@4.4.2 (direct dependency)

Additional Resources

For more detailed information about this security incident:

• We just found malicious code in the npm ecosystem

• npm Author Qix Compromised via Phishing Email in Major Supply Chain Attack

• (RESOLVED) Version 4.4.2 published to npm is compromised

Conclusion

This incident highlights the critical importance of supply chain security in modern software development. As the JavaScript ecosystem continues to grow and evolve, tools like the Verichains NPM Scanner become essential for maintaining security posture.

We encourage all JavaScript developers and organizations to:

• Regularly scan projects for known vulnerabilities

• Implement automated security checks in CI/CD pipelines

• Stay informed about security incidents in the ecosystem

• Contribute to community security efforts

The Verichains NPM Scanner represents our commitment to helping the JavaScript community defend against supply chain attacks. By providing fast, accurate vulnerability detection, we aim to help developers maintain secure applications in an increasingly complex threat landscape.