Date: 11/06/2025
Severity: High
Summary
On September 8, 2025, a threat actor hijacked the NPM account of developer “qix” (Josh Junon) through a phishing email impersonating NPM Support. After stealing credentials via a fake NPM login page, the attacker injected a JavaScript clipper into 20 popular NPM packages, redirecting cryptocurrency transactions to attacker-controlled wallets. The incident affected packages with nearly 2.8 billion weekly downloads, marking a major supply chain compromise. Several other developers were also targeted, indicating a coordinated campaign, though remediation efforts quickly restored package integrity and account security.
Indicators of Compromise (IOC) List
URLs/Domains | npmjs.help static-mw-host.b-cdn.net img-data-backup.b-cdn.net websocket-api2.publicvm.com https://websocket-api2.publicvm.com/images/jpg-to-png.php https://www.npmjs.help/login |
IP Address | 185.7.81.108 |
Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection
Detection Query 1 : | domainname like "https://websocket-api2.publicvm.com/images/jpg-to-png.php" or siteurl like "https://websocket-api2.publicvm.com/images/jpg-to-png.php" or url like "https://websocket-api2.publicvm.com/images/jpg-to-png.php" or domainname like "static-mw-host.b-cdn.net" or siteurl like "static-mw-host.b-cdn.net" or url like "static-mw-host.b-cdn.net" or domainname like "https://www.npmjs.help/login" or siteurl like "https://www.npmjs.help/login" or url like "https://www.npmjs.help/login" or domainname like "img-data-backup.b-cdn.net" or siteurl like "img-data-backup.b-cdn.net" or url like "img-data-backup.b-cdn.net" or domainname like "npmjs.help" or siteurl like "npmjs.help" or url like "npmjs.help" or domainname like "websocket-api2.publicvm.com" or siteurl like "websocket-api2.publicvm.com" or url like "websocket-api2.publicvm.com" |
Detection Query 2 : | dstipaddress IN ("185.7.81.108") or srcipaddress IN ("185.7.81.108") |
Reference:
https://www.group-ib.com/blog/detect-npm-supply-chain-attack/