(RESOLVED) Version 4.4.2 published to npm is compromised

[Informatic]

MESSAGE FROM @Qix- : PLEASE SEE #1005 (comment) FOR LATEST UPDATES.

---

Version not present in this repo has been pushed out to npm.
https://www.npmjs.com/package/debug/v/4.4.2?activeTab=code
src/index.js seems to contain a cryptominer installer something like a cryptostealer?
My brain is too foggy to figure out, but seems as if most of the payload doesn't actually run if typeof window == undefined as is the case in NodeJS runtime?

[rewento]

The afflicted npm packages share this prolific collaborator: https://www.npmjs.com/~qix

Perhaps he has suffered a security compromise.

[jdstaerk]

It seems like all packages of https://www.npmjs.com/~qix got hacked. See https://github.com/Qix-/node-error-ex/issues/17#issue-3394431258

[elrrrrrrr]

These suspicious versions appear to have been unpublished—for example, packages like debug and color have been restored. However, some libraries still have malicious code in their current latest versions as of now.

It remains unclear whether these packages were handled by npm officially or manually by their original authors, so the current risk status is uncertain.

  "color-name": {
    "2.0.1": {
      "version": "2.0.0",
      "reason": "https://github.com/debug-js/debug/issues/1005"
    }
  },
  "strip-ansi": {
    "7.1.1": {
      "version": "7.1.0",
      "reason": "https://github.com/debug-js/debug/issues/1005"
    }
  },
  "color-convert": {
    "3.1.1": {
      "version": "3.1.0",
      "reason": "https://github.com/debug-js/debug/issues/1005"
    }
  },
  "ansi-styles": {
    "6.2.2": {
      "version": "6.2.1",
      "reason": "https://github.com/debug-js/debug/issues/1005"
    }
  },
  "ansi-regex": {
    "6.2.1": {
      "version": "6.2.0",
      "reason": "https://github.com/debug-js/debug/issues/1005"
    }
  },
  "supports-color": {
    "10.2.1": {
      "version": "10.2.0",
      "reason": "https://github.com/debug-js/debug/issues/1005"
    }
  },
  "wrap-ansi": {
    "9.0.1": {
      "version": "9.0.0",
      "reason": "https://github.com/debug-js/debug/issues/1005"
    }
  },
  "is-arrayish": {
    "0.3.3": {
      "version": "0.3.2",
      "reason": "https://github.com/debug-js/debug/issues/1005"
    }
  },
  "color": {
    "5.0.1": {
      "version": "5.0.0",
      "reason": "https://github.com/debug-js/debug/issues/1005"
    }
  },
  "color-string": {
    "2.1.1": {
      "version": "2.1.0",
      "reason": "https://github.com/debug-js/debug/issues/1005"
    }
  },
  "has-ansi": {
    "6.0.1": {
      "version": "6.0.0",
      "reason": "https://github.com/debug-js/debug/issues/1005"
    }
  },
  "backslash": {
    "0.2.1": {
      "version": "0.2.0",
      "reason": "https://github.com/debug-js/debug/issues/1005"
    }
  },
  "error-ex": {
    "1.3.3": {
      "version": "1.3.2",
      "reason": "https://github.com/debug-js/debug/issues/1005"
    }
  },
  "slice-ansi": {
    "7.1.1": {
      "version": "7.1.0",
      "reason": "https://github.com/debug-js/debug/issues/1005"
    }
  },
  "simple-swizzle": {
    "0.2.3": {
      "version": "0.2.2",
      "reason": "https://github.com/debug-js/debug/issues/1005"
    }
  },

[Qix-]

All updates timestamped. Newest = first.

---

15 Sep 2025 21:50 CEST

Initial CVEs posted; chalk* packages to come later.

#1005 (comment)

---

13 Sep 2025 19:34 CEST

Hi everyone, all remaining affected packages have been published over. Security advisories to follow, and a post-mortem will go out soon.

Closing for now and will post a final update here with all relevant advisory details and post mortem link when that happens, and hopefully putting this whole thing (including myself) to bed.

---

13 Sep 2025 16:54 CEST

Took a much needed break last night for the first time in a week. Finally got a contact at npm beforehand, woke up to a bunch of emails from them, and it looks like everything has been pushed through on their end. Thank you to those that reached out.

I will be starting in a few minutes, resuming with the publishing of new package versions and getting the security notices / CVEs out today.

---

12 Sep 2025 15:21 CEST

⚠️ Heads Up: New patch versions of all affected repositories will be going out today. Please expect that.

Will start in the next hour and will be taking things very slowly.

Chalk repositories are not included in this, as Sindre has already taken care of them.

---

11 Sep 2025 22:50 CEST

Post-mortem to come tomorrow, along with publishing a new version for all affected packages to help cache-bust some of you on e.g. private registries or mirrors.

Thank you all again for the patience and for the kindness.

---

09 Sep 2025 17:24 CEST

Hi everyone. The 'next day' busy-ness has fully set in.

Since I still haven't gotten any followup from npm regarding account actions taken, and given that I have now been approached by authorities, I will need to hold off on the post-mortem for a day or two.

Sincerest apologies for the delay.

---

08 Sep 2025 23:48 CEST

My account has been restored; all packages should be back to normal (at least, those published by me).

Other maintainers have been affected. Stay vigilant.

Going to try to get some sleep tonight after double checking all packages.

---

08 Sep 2025 21:59 CEST

Message from NPM:

"All impacted package versions have been taken down. I'll be in touch when we have more information regarding account recovery."

I've requested further information about which packages were published, their versions, and all account actions NPM took.

---

08 Sep 2025 21:50 CEST

No contact with npm since last update. Account still not recovered. Assume some packages are still compromised.

Less urgent: a few comments popping up about "why do is-arrayish et al even exist?". I'll talk more about this in the post-mortem but the answer is two-fold: 1) they probably shouldn't, but 2) they were written as old as 15 years ago to solve something not provided by any standard library.

---

08 Sep 2025 20:46 CEST

Minimal contact with npm, mostly about whether or not I have my recovery codes (which is irrelevant since the account email has been changed anyway).

I can't give any authoritative updates on which packages were compromised aside from the ones below, if any, nor the current status of my npm account, nor any affirmative status of the packages in question (yanked or still compromised, etc).

Out of an abundance of caution, until I can confirm with npm, please do not assume missing afflicted version number == safe package. I have been given no details or updates from npm about the status of anything so please remain vigilant.

---

08 Sep 2025 19:17 CEST

I've received first contact from NPM. They have told me they are aware of the breach and are working to remove the packages, but have not specified any details beyond that.

They have asked if I still have a CLI session to switch my account; that was the first thing I tried, all tokens were immediately revoked.

Awaiting further comms.

---

08 Sep 2025 18:59 CEST

No communication from NPM still. I still have no access to the account. Packages are still to be considered compromised.

I have emailed and called Porkbun to escalate the abuse complaint as far as possible. The amount of work that went into this phish is somehow both horrifying and a little flattering. I'd like to think it was just for me.

---

08 Sep 2025 17:35 CEST

Hello, thanks. Actually found out about this on bluesky.

Yes, I've been pwned. First time for everything, I suppose. It was a 2FA reset email that looked shockingly authentic. I should have paid better attention, but it slipped past me. Sincerely sorry, this is embarrassing.

• I've been locked out of my account on npm. I'm awaiting support's response to me. If someone at NPM is able to get in contact with me to escalate, ticket number is 3738263.
• NPM is only affected. It was a personal account. Repositories are not affected.
• The email came from support at npmjs dot help.

All affected packages:

• ansi-styles@6.2.2
• debug@4.4.2
• chalk@5.6.1
• supports-color@10.2.1
• strip-ansi@7.1.1
• ansi-regex@6.2.1
• wrap-ansi@9.0.1
• color-convert@3.1.1
• color-name@2.0.1
• is-arrayish@0.3.3
• slice-ansi@7.1.1
• color@5.0.1
• color-string@2.1.1
• simple-swizzle@0.2.3
• supports-hyperlinks@4.1.1
• has-ansi@6.0.1
• chalk-template@1.1.1
• backslash@0.2.1

There might be others; these are just the ones I got email notifications for.

@sindresorhus has already published over anything under @chalk and has booted me off.

This appears targeted, or at least with a filter for high downloads. Many other packages on my account are untouched.

Rest assured I'll be dealing with this all day; still waiting on npm. Sorry everyone.

[joeattardi]

Is it just version 4.4.2? The GitHub advisory says all versions > 0 but not sure.