ATOMIC ZERO

🚨 Security Alert: npm debug & chalk packages compromised 🚨

Sep 06, 2025By Joe Vadakkan
Joe Vadakkan


A serious supply chain attack targeting two of the most ubiquitous npm packages: debug and chalk. The fallout is staggering over 2 billion downloads per week across 18 packages compromised, including widely used the JavaScript ecosystem and dependencies like ansi-styles, color-convert, strip-ansi, and others.

🔍 What happened?
Attackers gained maintainer access and published malicious versions ([email protected], [email protected]). Injected code was designed to hijack Web3/crypto wallet interactions, silently rerouting approvals/payments without user visibility.

Access through npm package maintenance accounts possibly via phishing or compromised credentials and published modified versions with malicious payloads. The post-install scripts executed without detection, making the attack stealthy.

This incident isn’t isolated. In recent months, Aikido Security detected similar malicious intrusions across ecosystem staples like rand-user-agent, xrpl (XRP Ledger SDK), and @gluestack-ui packages often involving backdoors, RATs, and private key theft.

🌍 Who’s impacted?
Any developer or org pulling debug, chalk, or related dependencies (ansi-styles, strip-ansi, color-convert, etc.).
Web3 and crypto developers face the highest risk.
Enterprises may be exposed indirectly via transitive dependencies buried deep in their stacks.


⚠️ Why it matters
This isn’t isolated recent npm compromises (rand-user-agent, xrpl, @gluestack-ui) show how fragile the supply chain is. A single poisoned update can undermine thousands of apps overnight.

🛡️ How to protect your org
Audit dependencies → Use SBOM + SCA tools.
Verify package integrity → Don’t blindly trust new versions.
Enforce MFA & key rotation for package maintainers.
Adopt Safe-Chain / sandbox tooling to block flagged packages.


✅ Takeaway
Software supply chain attacks are no longer edge cases they are the new battleground. Security, engineering, and finance leaders must treat dependency risk like any other core business risk. Tools like Endor Labs and others are on the forefront of software supply chain. Proving tools and features, like its CLI endorctl, that can be installed and run using npm to scan and manage JavaScript project dependencies.