All compromised npm packages: NCERT urges organizations to upgrade to latest fixed versions

ISLAMABAD: A critical supply chain compromise has been disclosed in the npm JavaScript ecosystem, exposing enterprises worldwide to risks of cryptocurrency theft, credential leakage and unauthorized code execution.

This has been revealed in an advisory issued by the National Cyber Emergency Response Team of Pakistan (NCERT) and urged organizations to immediately upgrade to the latest fixed versions of all compromised npm packages.

The incident, reported on September 8, 2025, occurred after attackers compromised the credentials of maintainer Josh Junon (alias qix) and uploaded malicious versions of widely used packages. At least 18 popular libraries — including debug, chalk, ansi-styles, and strip-ansi — were affected. These malicious releases were automatically fetched by developers and CI/CD pipelines, significantly widening the scope of impact.

The injected code contained a browser-based cryptostealer payload designed to silently intercept cryptocurrency transactions, exfiltrate API keys and credentials, and redirect sensitive data. Exploitation required no user interaction beyond installation, making the attack low-complexity but high-impact.

Industry experts have assessed the compromise as critical, assigning it an estimated CVSS v3.1 score of 9.8. Indicators of compromise include outbound connections to attacker-controlled cryptocurrency wallets and abnormal credential harvesting activity from application logs.

With npm packages embedded in financial systems, e-commerce platforms, and enterprise applications, the compromise poses a material risk to business continuity and supply chain integrity. Analysts warn that compromised dependencies can propagate rapidly across downstream systems, potentially exposing corporate networks to systemic breaches.

The National CERT has urged organizations to rebuild and redeploy affected applications, rotate all credentials, tokens, and API keys exposed during the attack window, strengthen supply chain security by enforcing MFA for maintainer accounts, restricting unverified dependency updates, and monitoring pipelines for anomalies.

npm packages account for more than 2 billion weekly downloads globally. Experts note that Pakistan’s digital economy — increasingly dependent on open-source software — must adopt stronger safeguards to mitigate such systemic risks.

“This incident underscores the vulnerability of modern supply chains to upstream compromise,” the advisory stated, warning that failure to act promptly could result in long-term infiltration of enterprise systems.

Copyright Business Recorder, 2025