The largest supply-chain attack ever…

Name: The largest supply-chain attack ever…
Uploaded: 2025-09-09T12:00:00.000000Z
Description: Fireship covers the largest npm supply chain attack in history: a phishing attack on maintainer Josh ‘qix’ Juneau compromised 2.5B weekly downloads for 2 hours. Attacker phished npm maintainer Josh ‘q…

Sep 9, 2025 · security · Source ↗

Watch on YouTube ↗ Summary based on the YouTube transcript and episode description.

Fireship covers the largest npm supply chain attack in history: a phishing attack on maintainer Josh ‘qix’ Juneau compromised 2.5B weekly downloads for 2 hours.

Attacker phished npm maintainer Josh ‘qix’ Juneau via a fake 2FA expiry email from spoofed domain support-npmjs.help.
Compromised packages include Chalk, debug, and ansi-styles — collectively over 2.5 billion weekly downloads.
Malicious code was a crypto clipper targeting MetaMask users, silently swapping destination wallet addresses during transactions.
Attack used Levenshtein distance algorithm to pick a replacement wallet address visually similar to the original, reducing detection risk.
Packages were compromised for roughly 2 hours, installed millions of times across CI/CD pipelines and production systems worldwide.
Despite the scale, attackers only stole approximately $50 worth of Ethereum.
Incident highlights a systemic npm trust problem: no additional safeguards exist for high-download packages despite repeated supply chain attacks.

2025-09-09 · Watch on YouTube

Related coverage

Millions of WordPress sites just got hacked... again

NPM website was down

Three men are facing charges in Toronto SMS Blaster arrests

The woes of sanitizing SVGs