Two and a Half Hours
September 8, 2025. A single phishing email gives an attacker the npm account for `chalk`, `debug`, and sixteen other packages with 2.6 billion combined weekly downloads. The malicious versions sit live for two and a half hours.
Briefing
On September 8, 2025, attackers phished Josh Junon (npm: qix), the maintainer of 18 widely-used packages including chalk, debug, ansi-styles, supports-color, and strip-ansi. They published one malicious version of each. The injected code looked for crypto-wallet API calls in browser-shipped bundles and rewrote the destination address before the user signed the transaction. The bad versions were live for roughly 2.5 hours before npm pulled them. Your CI runs `npm ci` on every PR. Walk your lockfile and your CI history.
Your role
On-call engineer for a Node app that builds in CI several times a day. The advisory thread on Hacker News is two hours old and still moving.
Objective
Decide whether your app installed any of the malicious versions in the last 24 hours, and what to do if it did.
Terminal environment
- user
- responder
- host
- build-runner-04
- cwd
- /srv/forge-app
- steps
- 6
Safety note. This is a safe reconstruction. All systems, files, hosts, credentials, and outputs are simulated. Do not use these techniques on systems you do not own or have explicit permission to test.