Qix npm account shipped wallet drainers

On September 8, 2025, attackers used a phished npm publishing credential belonging to Josh Junon, the developer known online as Qix, to push malicious releases of debug, chalk, and roughly two dozen other foundational JavaScript utilities. By aggregate weekly downloads, the affected packages reached close to two billion installs per week, making it one of the largest npm supply-chain incidents on record by exposure surface, though as researchers at Wiz, Aikido, and StepSecurity all emphasized in their post-incident write-ups, raw download counts measure reach, not confirmed victims.

debug and chalk are tiny, ubiquitous Node.js libraries that handle logging-level toggles and terminal color codes. Most JavaScript developers use them indirectly through the transitive-dependency graph of nearly every popular framework on npm. The packages had been maintained for years by Junon, whose npm account also covered ansi-regex, strip-ansi, wrap-ansi, ansi-styles, backslash, error-ex, and other terminal utilities. The phish that took his account, delivered through a convincing replica of npm's support pages hosted at npmjs.help, impersonated a routine two-factor reset prompt.

The injected payload, analyzed by Qualys and Aikido, was a browser-side cryptocurrency drainer. When bundled into a web application and executed in a user's browser, it hooked the standard Web3 wallet interfaces and watched for transactions on Ethereum, Bitcoin, Solana, Tron, Litecoin, and several other chains, rewriting destination addresses and approval payloads to attacker-controlled values before they were signed. Server- side Node.js installs received the tainted code as well, but the theft path required the package to make it into a deployed browser bundle.

Cleanup was unusually broad. Operators had to remove the bad versions from npm caches and lockfiles, scrub node_modules directories, and rebuild and redeploy any client-side bundle that had pulled in one of the affected packages during the publishing window. Follow-on packages taken over through credentials harvested in the same campaign are grouped under the qix-npm-phishing-2025 campaign; this record covers only the packages published directly from the Qix npm account.

Motive

Financial Gain

Attribution

Group

Cause

Social Engineering

Transitive

No

Actor

Third Party

• Public reporting described roughly two billion aggregate weekly downloads for affected packages; that is exposure context, not a confirmed victim count.

• Widespread npm Supply Chain Attack Breaking Down Impact Scope Across debug, chalkwiz.io
• npm debug and chalk packages compromisedaikido.dev
• 20+ Popular NPM Packages Compromisedstepsecurity.io
• When Dependencies Turn Dangerous: Responding to the NPM Supply Chain Attackblog.qualys.com
• error-ex@1.3.3 contains malware after npm account takeovergithub.com