Prebid npm packages carried Qix wallet drainer

Prebid was one of the browser-facing follow-on surfaces in the September 2025 npm phishing wave. GitHub advisories and ecosystem databases identified malicious releases for prebid.js 10.9.2 and prebid-universal-creative 1.17.3, separate from the original Qix maintainer package set and the later DuckDB cluster.

The placement mattered. Prebid packages are used in advertising workflows that can reach production browser bundles, so a wallet-drainer payload did not need server persistence to create risk. If the malicious package was built into client-side code, it could run where users, wallets, and transaction prompts meet.

The shared campaign code targeted cryptocurrency activity. Reporting tied the family to web3 transaction monitoring and destination-address replacement, turning a normal dependency update into a possible payment-redirection path.

This record keeps the Prebid package coordinates together because the exposure query is package-specific: look for prebid.js@10.9.2 and prebid-universal-creative@1.17.3 in lockfiles, build caches, private mirrors, and deployed bundles. The parent campaign record carries the phishing infrastructure and wider Qix wallet-drainer context.

Motive

Financial Gain

Attribution

Group

Cause

Social Engineering

Transitive

No

Actor

Third Party

• New compromised packages identified in largest npm attack in historyjfrog.com
• npm chalk and debug packages hit in software supply chain attacksonatype.com
• Prebid.js NPM package briefly compromisedgithub.com
• Prebid-universal-creative latest on npm briefly compromisedgithub.com