Two billion, six hundred million downloads per week. That is not a target. That is a blast radius. When attackers compromised a trusted npm maintainer's account on September 8, 2025, they did not need to find a clever zero-day in npm's infrastructure or reverse-engineer a cryptographic primitive. They sent a phishing email. Someone clicked. The rest followed automatically, at the speed of CI/CD pipelines running across every time zone on earth. ## The September 8 Wave: One Credential, Eighteen Packages, Two Hours of Exposure According to Upwind's detailed incident analysis, the first malicious package versions appeared on npm at 13:16 UTC on September 8, 2025. By approximately 15:20 UTC, community members had spotted suspicious code and raised alerts on GitHub. Maintainers reverted the compromised packages within two hours. That response window is genuinely fast for a community-driven ecosystem, and it still matters less than you might hope, because the packages in question were not obscure utilities. As reported by Sweet Security, citing Aikido Security's initial discovery, the compromised packages collectively accounted for 2.6 billion weekly downloads, making this the largest npm compromise in history by that metric. Brian Krebs summarized the scope concisely: 18 popular JavaScript packages, including debug and chalk, were hijacked and rigged to steal cryptocurrency. The attack's initial access story is instructive precisely because it is unglamorous. The attackers did not break npm. They compromised a person. One maintainer's phished credential gave them the ability to push new, malicious versions of libraries that sit at the foundation of countless production applications. NowSecure noted the potential downstream exposure extends into mobile applications, since many mobile development pipelines pull from the same npm ecosystem. The injected code targeted cryptocurrency wallets and blockchain transactions, making the financial motivation immediate and legible. The structural lesson here, which every developer and security-aware student should absorb, is in the dependency math. According to data cited by cyberdesserts.com's npm security analysis, the average npm project pulls in 79 transitive dependencies. You audit your direct dependencies. You rarely audit your dependencies' dependencies, or their dependencies' dependencies. That recursive blindspot is what attackers are counting on. ## The September 15 Wave: When the Payload Learns to Walk Seven days later, the threat actors returned with something more ambitious. According to Trend Micro's research, on September 15, the npm repository experienced a second ongoing supply chain attack, again initiated through a targeted phishing campaign against maintainer accounts. This wave introduced two documented payloads with meaningfully different behaviors and goals, and understanding the distinction is useful for anyone building a mental model of how supply chain attacks evolve. The first payload, called Cryptohijacker, covertly diverted cryptocurrency assets by hijacking web APIs and manipulating network traffic. It is financially focused and designed to be quiet. Trend Micro's telemetry confirms that organizations across North America and Europe were among the most affected by Cryptohijacker. The second payload, the Shai-Hulud worm, is a different category of concern entirely. Also documented by Trend Micro, Shai-Hulud is delivered through compromised packages, steals cloud service tokens, deploys secret-scanning tools, and spreads to additional accounts automatically. As of Trend Micro's reporting, there had been no detections of the Shai-Hulud worm in the wild, which is meaningful context: the capability exists, the mechanism is understood, and defenders have a window to prepare. Splunk's threat research team framed the broader pattern with useful precision: the September 2025 Shai-Hulud attack infected over 500 npm packages in a coordinated supply chain compromise and, in their assessment, marked a watershed moment in supply chain security, showcasing techniques that defenders must now prepare for as standard adversary tradecraft. The scale difference between the September 8 event (18 packages) and the September 15 wave (over 500 packages) reflects how quickly threat actors iterated on initial success. ## What the npm Ecosystem's Size Makes Possible (and Difficult) To understand why these events carry weight beyond the JavaScript community, it helps to appreciate the ecosystem's scale. Splunk's security team notes that npm contains over 2.5 million packages and processes billions of weekly downloads, representing what they describe as an irresistible target for attackers seeking to compromise software supply chains at scale. The mathematics, as Splunk puts it, are straightforward: compromise a single popular package and you potentially gain access to thousands of downstream applications and their production environments. The attack surface extends beyond web applications. NowSecure specifically highlighted the potential impact on mobile applications, since mobile development pipelines regularly consume npm packages as build dependencies. A compromised build tool does not need to reach end users directly; it only needs to touch the build process once. Splunk's analysis also identifies a specific mechanism that makes npm especially exploitable: lifecycle hooks. npm's preinstall, install, and postinstall hooks execute code automatically during package installation, without any user prompt or confirmation. A malicious postinstall script runs the moment a developer types a install. This is not an obscure edge case; it is standard npm functionality that threat actors have learned to weaponize reliably. ## What This Means for You as a Learner and Builder If you are learning software development, studying security, or building anything that touches JavaScript, this story is a practical case study in how modern software risk actually works. The perimeter is not your application code. The perimeter extends into every package you install, every package those packages install, and the humans who maintain all of them. The actionable takeaways are not exotic. Lock your dependency versions using package-lock.json or yarn.lock files so a compromised new version does not automatically land in your next install. Audit your dependency trees using tools like npm audit. Pay attention when the security community raises alerts on GitHub, as the September 8 response demonstrated that community speed can matter. And if you maintain open source packages, treat your npm publish credentials with the same seriousness as production database access, because from an attacker's perspective, they are equivalent. The Shai-Hulud worm's lack of confirmed wild detections is a real piece of good news, and it reflects both fast community response and active defender preparation. The window to build better habits around dependency hygiene is open. The September 2025 events are a vivid, well-documented illustration of why those habits matter before an incident, not after one. ## Sources - Major NPM Supply-Chain Attack: Potential Impact on Mobile Applications - NowSecure

Sources