Two and a Half Hours
September 8, 2025. A single phishing email gives an attacker the npm account for `chalk`, `debug`, and sixteen other packages with 2.6 billion combined weekly downloads. The malicious versions sit live for two and a half hours.
Briefing
September 8, 2025. An operations channel posts that npm yanked malicious versions of chalk, debug, and sixteen other packages after maintainer qix was phished. The published payload targeted browser wallets. Your builds still run `npm ci` hourly. You need the full chain: alert, dependency pins, lockfile proof, CI windowing, then cleanup guidance, not a dry reading of semver ranges.
Your role
On-call engineer for a Node app that builds in CI several times a day. Your manager forwards an internal alert before you open Hacker News.
Objective
Trace the phishing-driven npm supply-chain incident from the internal alert to contaminated lockfile lines, prove which CI runs pulled the poison during the live window, then read the remediation note your security team drafted.
Terminal environment
- user
- responder
- host
- build-runner-04
- cwd
- /srv/forge-app
- steps
- 9
Safety note. This is a safe reconstruction. All systems, files, hosts, credentials, and outputs are simulated. Do not use these techniques on systems you do not own or have explicit permission to test.