S4E

Malicious NPM Packages Supply Chain Attack Detection Scanner

This scanner detects the use of Malicious NPM Packages Supply Chain Attack Detection at September 2025 in digital assets. It identifies compromised npm packages associated with a critical supply chain attack to help prevent exploitation. This ensures early detection and response for safer development and production environments.

Short Info


Level

High

Single Scan

Single Scan

Can be used by

Asset Owner

Estimated Time

20 seconds

Time Interval

18 days 12 hours

Scan only one

URL

Toolbox

-

Malicious NPM packages are widely used components in modern JavaScript and Node.js ecosystems, often integrated into frameworks, developer tools, and production applications. Developers rely on npm as a trusted package registry to streamline development processes. Unfortunately, this trust makes npm packages an attractive target for attackers. In September 2025, attackers compromised the Qix maintainer account and injected malicious code into several widely used npm packages. These malicious versions were rapidly propagated across software supply chains. As a result, organizations using these packages unknowingly introduced risks into their environments.

The detection focuses on identifying compromised versions of popular npm packages that were involved in a critical supply chain attack. The injected code was specifically designed to intercept cryptocurrency transactions and Web3 wallet activities. This makes the compromised versions particularly dangerous for client-side applications. The scanner provides an automated way to flag vulnerable dependencies in package.json and package-lock.json files. This is critical for organizations that need quick insights into their dependency risks. By detecting these malicious packages early, organizations can prevent compromise and reduce potential exploitation.

In this case, several widely used npm packages were compromised. Some of the affected packages include:

While the scanner can automatically identify vulnerable dependencies in package.json and package-lock.json files, developers should also manually inspect these files to ensure complete accuracy. The scanner works by matching specific version numbers of compromised npm packages within these files. It inspects package.json and package-lock.json, checking for exact versions known to be injected with malicious payloads. Each targeted package has a specific regex matcher that confirms its version and presence. This granular detection ensures precision, minimizing false positives. However, for the most reliable results, it's always a good practice for developers to review these files themselves to confirm that no compromised dependencies remain unnoticed.

If exploited, the malicious npm packages can compromise sensitive user data, particularly cryptocurrency and Web3 wallet credentials. Attackers could intercept transactions, leading to financial theft. Beyond direct theft, attackers could also gain access to authentication tokens and private keys. This may result in broader compromises of digital assets, applications, and infrastructure. Reputational damage and loss of customer trust are also significant risks. The long-term effect is a reduced confidence in software supply chains, affecting both organizations and the wider open-source community.

REFERENCES

Get started to protecting your digital assets