Hope everyone had a fun and safe Halloween 🎃

Hugops going out to everyone affected by the worm today. Ping me to DM and AMA if you've been affected. Will guide and assist as best as I can.

debug: CVE-2025-59144 error-ex: CVE-2025-59330 color-string: CVE-2025-59142 backslash: CVE-2025-59140 is-arrayish: CVE-2025-59331 simple-swizzle: CVE-2025-59141 color: CVE-2025-59143 color-convert: CVE-2025-59162 color-name: CVE-2025-59145 <pending publication> Chalk pkgs still pending; bear with.

(and sorry for taking so long, I didn't quite know how to go about doing anything like this at this scale before. I will definitely document this for others to get an idea, hopefully it saves some headache later)

Also shoutout to the GH employee that reviewed the CVE request in minutes; I assume that was a real human doing that. Thank you.

I have the NPM logs. Not much unexpected except an IP address that wasn't previously known. It seems clear it was indeed an MITM via the known IP that's out there, followed by account actions via a private IPv6 address.

Hi, I missed error-ex in the publishing spree the other day, will publish a new version shortly. My apologies, been another round of busy days/weekend.

Still waiting for access to account logs for the post mortem. Trying to get it out ASAP, sorry to those who need it. Doing my best to get it done.

All packages have been published over. Please let me know if I broke you somehow and I'll get it fixed ASAP. Security advisories drafted and CVEs requested; not sure if they should be published immediately without the CVE yet so have held off until I get some guidance (or they're alloc'd).

Half of the packages have been published now, slowly working through them. If you see anything messed up please let me know.

Took the first real break last night in a week. Highly necessary. Thanks to those who reached out for npm contacts, sounds like things will get handled today.

Post mortem is still on hold until I can get everyone secure again. Npm has not been helpful and I'm currently blocked. I'm sorry for the continued delay, I'd like to be done with this more than anyone else, believe me.

Does anyone have a contact at npm who can contact me directly? This is getting silly. Non sequiturs and hours between responses is so unprofessional I'm getting irritated. People are still affected by cached versions with malware and once again there's nothing I can do to help them.

Hi, something still isn't right with my account configuration. Going to hold off on the package updates until I can receive a response from npm. There is no threat or continued breach, but I'm not able to publish in a way I'm confident will be secure quite yet. Please bear with.

Yesterday, and I sat down with to discuss the incident that occurred on Monday, in which popular packages like debug and chalk were compromised. Here's my take on it, along with the entire ~45-minute conversation. www.aikido.dev/blog/we-got-...

⚠️ Heads Up: New patch versions of all affected repositories will be going out today. Please expect that. Will start in the next hour and will be taking things very slowly. Chalk repositories are not included in this, as Sindre has already taken care of them. I am terrified, lmk if I mess up.

Forgot to mention, they will be identical to the current (non-compromised) versions, released as <compromised_version + 1 patch>.

I feel as though I should write a runbook for other maintainers who are in this situation to help guide them through the process of dealing with a situation like this. Thinking back, I realize now that "what's next" was the prevailing unanswered question at several points throughout it.

Keeping in mind that a post mortem is on the way and that new package versions will be pushed today, if you have any process improvements you think should be included, (aside from "don't get phished"), I'd love to hear them - even if you're not a security professional.

Post-mortem to come tomorrow, along with publishing a new version for all affected packages to help cache-bust some of you on e.g. private registries or mirrors. Thank you all again for the patience and for the kindness.

Hello Deno users - if you're still getting one of the infected packages, please clear out your DENO_DIR.

The memes have been fire btw, thank you 🙏

Hi everyone. The 'next day' busy-ness has fully set in. Since I still haven't gotten any followup from npm regarding account actions taken, and given that I have now been approached by authorities, I will need to hold off on the post-mortem for a day or two. Sincerest apologies for the delay.

Everything looks alright, please ping me if something (of mine) looks out of place. Thank you to everyone for the kind words of support, it really did help ❤️ Time for bed.

NPM account restored. My packages should be back to normal; going to do a quick skim to make sure before calling it a day. NPM doesn't show audit logs so unfortunately it's on them to release any information I haven't already given myself. Post-mortem to come tomorrow. Thank you everyone <3

For anyone who has checks or can otherwise use this information: I won't be publishing anything over the next 48 hours minimum, probably the next week. Still have not regained access though npm is starting to help with that.

NPM is now working to restore my access to the account. Will need to take a break for the evening now that things have settled and I've been in pain all day. Will begin a full retro and post-mortem tomorrow (sorry for the delay). Feel free to send any Q's my direction in the meantime.

Yes, there's at least one other confirmed package that's been hit. I would imagine I'm probably the first / 'loudest' that has been affected, but despite thinking so earlier I don't think this was targeted. They must have filtered based on download count or something to choose which packages to hit.

To be clear for anyone curious (sorry, should have syndicated this sooner): Only my NPM account was breached. Password is not shared. Repositories were not touched.

Message from NPM: "All impacted package versions have been taken down. I'll be in touch when we have more information regarding account recovery." I've requested further information about which packages were published, their versions, and all account actions NPM took.

Looks like things are being taken down slowly, but please stay vigilant; I have no control over what's happening to my account right now, nor any info. It's not clear if npm has taken complete control over it or not. They are not communicating with me whatsoever. Access has not been re-established.

First contact with npm. They are aware of breach. No details beyond that.

Updates here. github.com/debug-js/deb...

NPM has yet to respond to any of this, but it appears at least `debug`'s malicious package version has been yanked. I contacted about the phishing domain and called support to have it escalated. Nothing I can do but sit and wait right now. Sorry folks.

Yep, I've been pwned. 2FA reset email, looked very legitimate. Only NPM affected. I've sent an email off to to see if I can get access again. Sorry everyone, I should have paid more attention. Not like me; have had a stressful week. Will work to get this cleaned up.

This post really frounces on my bungers www.avibagla.com/blueskydicti...

Oh hey it worked