Skip to content

Supply Chain attack to NPM on 8 September 2025 #2015

@rgaiacs

Description

@rgaiacs

@consideRatio mentioned a recent supply chain attack to NPM. I'm creating this issue to have a single point of information.

What did happen?

Some authors of NPM package received a phishing email from support@npmjs.help (instead of npmjs.com) requesting the two factor authentication to be updated.

The attacker, used the phishing two factor authentication request to gain access to some user accounts and published compromised packages.

What packages were compromised?

The list circulated by Aikido Security BV is

Package Version
backslash0.2.1
chalk-template1.1.1
supports-hyperlinks4.1.1
has-ansi6.0.1
simple-swizzle0.2.3
color-string2.1.1
error-ex1.3.3
color-name2.0.1
is-arrayish0.3.3
slice-ansi7.1.1
color-convert3.1.1
wrap-ansi9.0.1
ansi-regex6.2.1
supports-color10.2.1
strip-ansi7.1.1
chalk5.6.1
debug4.4.2
ansi-styles6.2.2

Is BinderHub compromised?

This requires a bit of investigation as we only store package.json. Maybe we should also use package-lock.json. This would require minor changes in the GitHub Actions.

@yuvipanda what is your position regarding add package-lock.json?

Sources

  1. https://github.com/orgs/community/discussions/172738
  2. GHSA-8mgj-vmr8-frr6
  3. https://www.aikido.dev/blog/npm-debug-and-chalk-packages-compromised
  4. https://news.ycombinator.com/item?id=45169657

Metadata

Metadata

Assignees

Type

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions