Billions (No, that’s not a typo, Billions with a capital B) of files were potentially compromised.

If you thought Node Package Manager (npm), the JavaScript runtime environment Node.js‘s default package manager, had finally stopped having serious security problems, you thought wrong. This time, a two-factor authentication (2FA) phishing attack left developers frustrated, angry, and in some cases, locked out of their own projects, and users left wondering if their systems had been hacked.

There’s nothing new about this. For years, developers have worried about the integrity of npm packages after a series of high-profile incidents: the left-pad unpublishing debacle in 2016, the flat-map-stream backdoor in 2018, and targeted account takeovers. In response, GitHub, the Microsoft-owned steward of npm, rolled out mandatory 2FA for popular package maintainers as a long-overdue safeguard. In theory, that’s the right move. In practice, the rollout was a textbook case on how not to handle software chain security.

The result? On September 8, 2025, a supply chain attack rolled over 18 popular npm packages. These included chalk, debug, and ansi-styles. Overall, according to Belgian company Aikido Security, the compromised packages accounted for more than 2 billion downloads per week. 

The compromised programs were “updated to contain a piece of code that would be executed on the client of a website, which silently intercepts crypto and web3 activity in the browser, manipulates wallet interactions, and rewrites payment destinations so that funds and approvals are redirected to attacker-controlled accounts without any obvious signs to the user.”

This exploit worked by acting as a browser-based interceptor that hijacked both network traffic and application APIs. Once in place, it injected itself into functions like fetch, XMLHttpRequest, and other wallet interfaces. There, it silently rewrote values in requests and responses. That meant identifiers, such as payment destinations or approval targets, were swapped out for attacker-controlled ones before the user even sees or signs them. To make the changes even harder to spot, it used string-matching logic that replaces targets with look-alike values.

Shoot me now.

So, what went wrong? It all started on Sept. 4 when attackers registered a phishing domain, npmjs.help, to send phishing emails urging npm package maintainers to “refresh” and “update” their 2FA settings, claiming that if they didn’t, they’d be locked out of their accounts by Sept. 10.

On Sept. 8, Josh Junon, aka ~qix, a package maintainer for chalk and debug, revealed on Bluesky that he’d been pwned by a 2FA reset email that looked very legitimate. He wasn’t alone. Soon, other maintainers and developers were reporting that they’d been compromised. 

In the attack’s aftermath, developers said that code publishing simply failed, with cryptic error messages tied to account protection. For some, one-time passcodes sent via SMS or authenticator apps didn’t work. Others couldn’t even reauthenticate after being logged out. Still more maintainers complained that even after jumping through npm security hoops, they didn’t hear back from npm about their packages’ status. Was it rolled back to a safe version? Was it still compromised? They couldn’t tell. 

Several maintainers said their packages had been frozen for days. Imagine trying to push urgent updates to a widely used library, only to find that npm had locked the doors and thrown away the keys.

The result? A global community of JavaScript developers scratching their heads and venting on GitHub issues, Twitter, and Reddit. Instead of boosting trust in the supply chain, npm’s 2FA problems handed detractors another reason to doubt its reliability. 

As Tyler Moffitt, OpenText Cybersecurity Senior Security Analyst, told DevOps, “This attack shows how fragile the software supply chain can be: even tiny utilities like chalk (used just to color console output) can become high-impact attack vectors. Phishing and credential theft remain the easiest path for attackers to compromise trusted infrastructure.” 

On LinkedIn, Dan Lorenc, Chainguard CEO, added, “Five years from now, I hope everyone realizes how wildly brazen we all were to blindly trust opaque packages secured by basic password auth.”

He’s not wrong. Npm isn’t some obscure niche registry. It serves over 2 million packages and processes tens of billions of downloads every week. When something breaks on npm, developers from startups to tech giants feel it immediately. Worse, interruptions in publishing security fixes to modules exposed millions of downstream users to potential threats—ironically, that’s exactly the scenario 2FA was meant to prevent.

As a Ycomb user going by the handle yaramin snarled, “I’m angry about this. Large megacorps with the budget of medium-sized countries allocate the minimum amount of budget to maintain their auth systems and still allow the use of phishable auth methods.”

Successfully implemented 2FA can be a big security help. The key phrase is “successfully implemented.” Good intentions poorly executed helped lead to what one Reddit poster observed was npm getting owned because one dev clicked the wrong link. Billions of downloads [were] poisoned. Supply chain security is still held together with duct tape.” 

He’s not wrong. Npm needs a complete supply chain security overhaul from top to bottom.