Securing Repos After the September 2025 NPM Supply Chain Attack

Introduction

On September 8, 2025, the JavaScript and Node.js ecosystem faced one of its most severe supply chain attacks to date. Attackers compromised the NPM account of a well known developer, widely referred to as Qix, and injected malicious code into multiple highly popular packages.

The incident immediately raised questions about the trust model of open source dependencies. Despite billions of downloads and the potential for catastrophic damage, the actual financial loss was surprisingly small. Still, the attack confirmed that dependency chains remain a primary attack vector for modern applications.

At First Point, we developed guard-deps, an open source tool to detect and remediate malicious dependencies, to give developers a practical defense against incidents like this.

The September 2025 Attack in Detail

How It Started

• Early on September 8, attackers phished the credentials and bypassed 2FA of a well known maintainer.
• Using this access, they pushed compromised versions of at least 18 widely used NPM packages, including debug, chalk, color, figures, and ansi-regex.
• Collectively, these packages are downloaded more than 2 billion times per week.

The Malicious Payload

• The injected code targeted EVM compatible wallets such as MetaMask.
• It silently replaced wallet addresses during transactions, redirecting funds to the attacker.
• There were also concerns that the payload could attempt to steal seed phrases, but this has not been confirmed.

The Potential Impact

• The scope was enormous. Any project using modern JavaScript tooling could have been exposed.
• Affected domains included web apps, mobile apps, DeFi platforms, and backend services.
• Despite the scale, the actual stolen funds were minimal, with reports citing as little as 497 dollars in losses.

Crypto Specific Effects

• Both Ethereum and Solana wallets were reported as potential targets.
• Hardware wallet users (Ledger, Trezor) were safe, as device screens forced address verification.
• Software wallet users were advised to pause all on chain transactions.

Detection and Response

• Ledger CTO Charles Guillemet raised the alarm publicly on X, warning users to verify all transactions on hardware wallets. His post is available here:

• NPM acted quickly, removing the compromised packages and flagging affected versions.
• Projects responded: Flamingo Finance, Infinit Labs, Tinyman, Orderly Network, and others confirmed they were not affected because they used older versions or were architecturally insulated.
• Industry reaction: Stellar Development Foundation and other Web3 players reviewed dependencies and enforced stronger package security.

This incident also followed the August 2025 Nx compromise, showing a rising trend of account takeovers and phishing attacks against open source maintainers.

⚠️ Known Malicious Versions from the September 2025 Attack

The following NPM package versions were identified as malicious during the September 2025 supply chain attack.
🚫 Do NOT install or use these versions in your projects. Always roll back or upgrade to the patched release.

Security Recommendations

For Users

• Use hardware wallets and always verify addresses on the device screen.
• If using software wallets, carefully inspect dApps before signing transactions.
• Avoid blindly upgrading packages during an ongoing incident. Rolling back to safe versions such as [email protected] or [email protected] is safer until advisories are clear.

For Developers

• Continuously scan dependencies with tools such as npm audit and third party scanners.
• Strengthen 2FA practices and provide security training against phishing.
• Audit your codebase for references to compromised packages including debug, chalk, color, figures, and ansi-regex.
• Automate checks in CI pipelines so compromised versions cannot slip into production.

Introducing guard-deps

To address incidents like this, First Point built guard-deps, an open source tool that gives developers a way to detect, remediate, and enforce safe dependency versions.

Core Features

• Works with npm, yarn, and pnpm lockfiles.
• Scans monorepos recursively.
• Automated remediation flow: remove lockfiles and node_modules, reinstall, enforce overrides, re scan.
• Outputs results as table, JSON, or Markdown.
• CI integration with exit codes that can fail builds if compromised versions are detected.
• Incident presets for rapid response (for example --preset npm-2025-09-qix).

Getting Started

Clone and link the tool from GitHub:

git clone https://github.com/First-Point/guard-deps
cd guard-deps
npm install
npm link

Scan for compromised packages:

guard-deps scan

Automatically fix unsafe versions:

guard-deps fix

Why This Matters

The September 2025 attack shows how fragile the open source ecosystem has become. Even one compromised maintainer account can cascade across billions of downloads in hours.

With guard-deps, we aim to:

• Provide an open source defense mechanism against active supply chain compromises
• Deliver ready to use remediation workflows rather than just detection
• Help developers enforce strict security policies in CI pipelines

Conclusion

The incident may have caused minimal financial loss, but it demonstrated the scale of risk facing the JavaScript ecosystem. Supply chain attacks are here to stay, and proactive defense is no longer optional.

At First Point, we are committed to securing the open source ecosystem. guard-deps is our contribution to help developers protect their repositories from the next attack.

👉 Explore the project: First Point / guard-deps
⭐ Star it, use it in your repos, and join us in building a safer developer ecosystem.