Qix phishing shipped wallet drainers

The September 2025 npm phishing wave was ordinary at the front door and enormous behind it. A maintainer received a fake npm support message from npmjs.help, followed the credential-reset flow, and effectively handed attackers publishing access. Within hours, malicious releases appeared under some of the most common JavaScript utility names.

The first public set centered on packages maintained by Josh Junon, including debug, chalk, ansi-regex, strip-ansi, wrap-ansi, and related color and terminal helpers. The packages were small, but their reach was not. Public reporting put their aggregate weekly download volume around two billion, with the malicious versions removed after a short exposure window.

The injected code was aimed at cryptocurrency theft rather than generic host compromise. It hid in client-side bundles, hooked browser and web3 APIs, watched for transaction material across Ethereum, Bitcoin, Solana, Tron, and other chains, and replaced destination addresses with attacker-controlled lookalikes before the user signed.

That payload choice made the blast radius more subtle than a server-side credential stealer. A compromised package could be installed in a build environment, bundled into browser code, and only become dangerous when a user later interacted with a wallet or transaction flow.

Follow-on reporting tied additional package surfaces to the same campaign, including DuckDB packages, Prebid packages, proto-tinker-wc, and @coveops/abi. Those are kept as separate attack records where the maintainer, project, or distribution boundary differs from the original Qix account.

The campaign record therefore carries the shared phishing path and wallet-drainer mechanics, while the leaf records preserve the exact package coordinates defenders need for lockfile, cache, mirror, and deployed-bundle searches.

Actor

Third Party

Attribution

Group

Cause

Unknown

• prebid.js 10.9.2
• prebid-universal-creative 1.17.3
• proto-tinker-wc 0.1.87
• ansi-regex 6.2.1
• ansi-styles 6.2.2
• backslash 0.2.1
• chalk 5.6.1
• chalk-template 1.1.1
• color 5.0.1
• color-convert 3.1.1
• color-name 2.0.1
• color-string 2.1.1
• debug 4.4.2
• error-ex 1.3.3
• has-ansi 6.0.1
• is-arrayish 0.3.3
• simple-swizzle 0.2.3
• slice-ansi 7.1.1
• strip-ansi 7.1.1
• supports-color 10.2.1
• supports-hyperlinks 4.1.1
• wrap-ansi 9.0.1
• @coveops/abi 2.0.1
• duckdb 1.3.3
• @duckdb/node-bindings 1.3.3
• @duckdb/duckdb-wasm 1.29.2
• @duckdb/node-api 1.3.3

• The Register reported the initial 18-package Qix set, while JFrog and later advisories reported additional package surfaces including DuckDB, Prebid, proto-tinker-wc, and @coveops/abi.
• JFrog reported the initial compromised versions were downloaded more than 2.5 million times and that DuckDB-related follow-on versions were removed quickly.

• Widespread npm Supply Chain Attack Breaks Down Impact Scope Across debug, chalkwiz.io
• Dev snared in crypto phishing net, 18 npm packages compromisedtheregister.com
• New compromised packages identified in largest npm attack in historyjfrog.com
• Sindre Sorhus compromised chalk source samplegist.github.com