is-arrayish
is-arrayish npm Package Compromised (Qix Account Takeover)
Attackers phished prolific npm maintainer Josh Junon (Qix) with the fake npmjs.help domain, intercepted credentials and 2FA tokens, and published malicious versions of this package. The payload combined a crypto-clipper with a self-propagating worm that harvested cloud and GitHub tokens. The danger was scale; tiny utility packages sat inside tens of millions of weekly installs.
- Date
- 2025-09-08
- Category
- Open Source
- Target Surface
- Package registry
- Insertion Phase
- distribution
- Impact
- Financial Exploitation
- Cause
- Social Engineering
What Was Affected
Package
is-arrayish
LanguageJavaScript
ComponentLibrary
Artifact typesource archive
Domain typepackage host
Domain
npmjs.com
Compromised Versions
Incident Context
- Motive
- Financial gain
- Attribution
- Third Party
- Transitive
- No
- User Impact
- 50000000
- Observed Duration
- 0 days
External References
- varonis.com
- aikido.dev/blog/npm-debug-and-chalk-packages-compromised
- stepsecurity.io/blog/20-popular-npm-packages-compromised-chalk-debug-strip-ansi-color-convert-wrap-ansi
- blog.qualys.com/vulnerabilities-threat-research/2025/09/10/when-dependencies-turn-dangerous-responding-to-the-npm-supply-chain-attack
Source Data
Source record: oss/is-arrayish/meta.yaml