All updates timestamped. Newest = first.

08 Sep 2025 23:48 CEST

My account has been restored; all packages should be back to normal (at least, those published by me).

Other maintainers have been affected. Stay vigilant.

Going to try to get some sleep tonight after double checking all packages.

08 Sep 2025 21:59 CEST

Message from NPM:

"All impacted package versions have been taken down. I'll be in touch when we have more information regarding account recovery."

I've requested further information about which packages were published, their versions, and all account actions NPM took.

08 Sep 2025 21:50 CEST

No contact with npm since last update. Account still not recovered. Assume some packages are still compromised.

Less urgent: a few comments popping up about "why do is-arrayish et al even exist?". I'll talk more about this in the post-mortem but the answer is two-fold: 1) they probably shouldn't, but 2) they were written as old as 15 years ago to solve something not provided by any standard library.

08 Sep 2025 20:46 CEST

Minimal contact with npm, mostly about whether or not I have my recovery codes (which is irrelevant since the account email has been changed anyway).

I can't give any authoritative updates on which packages were compromised aside from the ones below, if any, nor the current status of my npm account, nor any affirmative status of the packages in question (yanked or still compromised, etc).

Out of an abundance of caution, until I can confirm with npm, please do not assume missing afflicted version number == safe package. I have been given no details or updates from npm about the status of anything so please remain vigilant.

08 Sep 2025 19:17 CEST

I've received first contact from NPM. They have told me they are aware of the breach and are working to remove the packages, but have not specified any details beyond that.

They have asked if I still have a CLI session to switch my account; that was the first thing I tried, all tokens were immediately revoked.

Awaiting further comms.

08 Sep 2025 18:59 CEST

No communication from NPM still. I still have no access to the account. Packages are still to be considered compromised.

I have emailed and called Porkbun to escalate the abuse complaint as far as possible. The amount of work that went into this phish is somehow both horrifying and a little flattering. I'd like to think it was just for me.

08 Sep 2025 17:35 CEST

Hello, thanks. Actually found out about this on bluesky.

Yes, I've been pwned. First time for everything, I suppose. It was a 2FA reset email that looked shockingly authentic. I should have paid better attention, but it slipped past me. Sincerely sorry, this is embarrassing.

• I've been locked out of my account on npm. I'm awaiting support's response to me. If someone at NPM is able to get in contact with me to escalate, ticket number is 3738263.
• NPM is only affected. It was a personal account. Repositories are not affected.
• The email came from support at npmjs dot help.

All affected packages:

• ansi-styles@6.2.2
• debug@4.4.2
• chalk@5.6.1
• supports-color@10.2.1
• strip-ansi@7.1.1
• ansi-regex@6.2.1
• wrap-ansi@9.0.1
• color-convert@3.1.1
• color-name@2.0.1
• is-arrayish@0.3.3
• slice-ansi@7.1.1
• color@5.0.1
• color-string@2.1.1
• simple-swizzle@0.2.3
• supports-hyperlinks@4.1.1
• has-ansi@6.0.1
• chalk-template@1.1.1
• backslash@0.2.1

There might be others; these are just the ones I got email notifications for.

@sindresorhus has already published over anything under @chalk and has booted me off.

This appears targeted, or at least with a filter for high downloads. Many other packages on my account are untouched.

Rest assured I'll be dealing with this all day; still waiting on npm. Sorry everyone.

Is it just version 4.4.2? The GitHub advisory says all versions > 0 but not sure.

I wrote a script to test if the vulnerability is present at the github org level on all repo's. https://gist.github.com/erik1o6/b53302a24e91031a1190d38ec2b5ee2b

Thanks @tadhglewis - a GH security advisory was opened, I can't find the link all of a sudden (it was someone else who posted it). Will find it tomorrow.

As for the actual CVE system (as in cve.org) that's what I'm referring to as not being sure whether or not one is necessary.

@Qix- Apologies, just catching up on the thread. I believe you were referring to GHSA-8mgj-vmr8-frr6, I agree this should be sufficient and includes a reference to other packages compromised :)

Hope you can get some rest after this awful situation @Qix-, and thanks for your transparency! 🫂

Wouldn't requiring a direct link between a github release and a npmjs package help prevent this?
It would have certainly prevented the simple-swizzle malware -- as it is a read-only repo.

It's how it is due to history, but yeah that would have definitely helped. But not all code on npm is hosted on GitHub - the option to do that would have helped.

@Qix- if you haven't done it, recommend setting up WebAuthn 2FA on your npm account, such as via a security key (for example Yubikey) or supported password manager like Google / Apple, 1Password, KeepassXC, Bitwarden. Since WebAuthn credentials are bound to the origin they were registered on, phishing attacks like this are essentially impossible.

Propose using npm trust publish, related to #1010

Propose using npm trust publish, related to #1010

This only shifts the problem, if a malware runs on dev's computer, it can do anything, including modifying the source code, committing it to GitHub, releasing a new version, and then uncommit/rollback the git tree, this is pure snake oil, the real solution is to stop the mess of including the whole NPM database in every single project