MESSAGE FROM @Qix- : PLEASE SEE https://github.com/debug-js/debug/issues/1005#issuecomment-3266868187 FOR LATEST UPDATES.

Version not present in this repo has been pushed out to npm. https://www.npmjs.com/package/debug/v/4.4.2?activeTab=code src/index.js seems to contain ~a cryptominer installer~ something like a cryptostealer? My brain is too foggy to figure out, but seems as if most of the payload doesn't actually run if typeof window == undefined as is the case in NodeJS runtime?

Sep 08 '25 13:09 Informatic

The afflicted npm packages share this prolific collaborator: https://www.npmjs.com/~qix

Perhaps he has suffered a security compromise.

Sep 08 '25 14:09 rewento

It seems like all packages of https://www.npmjs.com/~qix got hacked. See https://github.com/Qix-/node-error-ex/issues/17#issue-3394431258

Sep 08 '25 14:09 jdstaerk

These suspicious versions appear to have been unpublished—for example, packages like debug and color have been restored. However, some libraries still have malicious code in their current latest versions as of now.

It remains unclear whether these packages were handled by npm officially or manually by their original authors, so the current risk status is uncertain.

  "color-name": {
    "2.0.1": {
      "version": "2.0.0",
      "reason": "https://github.com/debug-js/debug/issues/1005"
    }
  },
  "strip-ansi": {
    "7.1.1": {
      "version": "7.1.0",
      "reason": "https://github.com/debug-js/debug/issues/1005"
    }
  },
  "color-convert": {
    "3.1.1": {
      "version": "3.1.0",
      "reason": "https://github.com/debug-js/debug/issues/1005"
    }
  },
  "ansi-styles": {
    "6.2.2": {
      "version": "6.2.1",
      "reason": "https://github.com/debug-js/debug/issues/1005"
    }
  },
  "ansi-regex": {
    "6.2.1": {
      "version": "6.2.0",
      "reason": "https://github.com/debug-js/debug/issues/1005"
    }
  },
  "supports-color": {
    "10.2.1": {
      "version": "10.2.0",
      "reason": "https://github.com/debug-js/debug/issues/1005"
    }
  },
  "wrap-ansi": {
    "9.0.1": {
      "version": "9.0.0",
      "reason": "https://github.com/debug-js/debug/issues/1005"
    }
  },
  "is-arrayish": {
    "0.3.3": {
      "version": "0.3.2",
      "reason": "https://github.com/debug-js/debug/issues/1005"
    }
  },
  "color": {
    "5.0.1": {
      "version": "5.0.0",
      "reason": "https://github.com/debug-js/debug/issues/1005"
    }
  },
  "color-string": {
    "2.1.1": {
      "version": "2.1.0",
      "reason": "https://github.com/debug-js/debug/issues/1005"
    }
  },
  "has-ansi": {
    "6.0.1": {
      "version": "6.0.0",
      "reason": "https://github.com/debug-js/debug/issues/1005"
    }
  },
  "backslash": {
    "0.2.1": {
      "version": "0.2.0",
      "reason": "https://github.com/debug-js/debug/issues/1005"
    }
  },
  "error-ex": {
    "1.3.3": {
      "version": "1.3.2",
      "reason": "https://github.com/debug-js/debug/issues/1005"
    }
  },
  "slice-ansi": {
    "7.1.1": {
      "version": "7.1.0",
      "reason": "https://github.com/debug-js/debug/issues/1005"
    }
  },
  "simple-swizzle": {
    "0.2.3": {
      "version": "0.2.2",
      "reason": "https://github.com/debug-js/debug/issues/1005"
    }
  },

Sep 08 '25 15:09 elrrrrrrr

All updates timestamped. Newest = first.

15 Sep 2025 21:50 CEST

Initial CVEs posted; chalk* packages to come later.

https://github.com/debug-js/debug/issues/1005#issuecomment-3293468231

13 Sep 2025 19:34 CEST

Hi everyone, all remaining affected packages have been published over. Security advisories to follow, and a post-mortem will go out soon.

Closing for now and will post a final update here with all relevant advisory details and post mortem link when that happens, and hopefully putting this whole thing (including myself) to bed.

13 Sep 2025 16:54 CEST

Took a much needed break last night for the first time in a week. Finally got a contact at npm beforehand, woke up to a bunch of emails from them, and it looks like everything has been pushed through on their end. Thank you to those that reached out.

I will be starting in a few minutes, resuming with the publishing of new package versions and getting the security notices / CVEs out today.

12 Sep 2025 15:21 CEST

⚠️ Heads Up: New patch versions of all affected repositories will be going out today. Please expect that.

Will start in the next hour and will be taking things very slowly.

Chalk repositories are not included in this, as Sindre has already taken care of them.

11 Sep 2025 22:50 CEST

Post-mortem to come tomorrow, along with publishing a new version for all affected packages to help cache-bust some of you on e.g. private registries or mirrors.

Thank you all again for the patience and for the kindness.

09 Sep 2025 17:24 CEST

Hi everyone. The 'next day' busy-ness has fully set in.

Since I still haven't gotten any followup from npm regarding account actions taken, and given that I have now been approached by authorities, I will need to hold off on the post-mortem for a day or two.

Sincerest apologies for the delay.

08 Sep 2025 23:48 CEST

My account has been restored; all packages should be back to normal (at least, those published by me).

Other maintainers have been affected. Stay vigilant.

Going to try to get some sleep tonight after double checking all packages.

08 Sep 2025 21:59 CEST

Message from NPM:

"All impacted package versions have been taken down. I'll be in touch when we have more information regarding account recovery."

I've requested further information about which packages were published, their versions, and all account actions NPM took.

08 Sep 2025 21:50 CEST

No contact with npm since last update. Account still not recovered. Assume some packages are still compromised.

Less urgent: a few comments popping up about "why do is-arrayish et al even exist?". I'll talk more about this in the post-mortem but the answer is two-fold: 1) they probably shouldn't, but 2) they were written as old as 15 years ago to solve something not provided by any standard library.

08 Sep 2025 20:46 CEST

Minimal contact with npm, mostly about whether or not I have my recovery codes (which is irrelevant since the account email has been changed anyway).

I can't give any authoritative updates on which packages were compromised aside from the ones below, if any, nor the current status of my npm account, nor any affirmative status of the packages in question (yanked or still compromised, etc).

Out of an abundance of caution, until I can confirm with npm, please do not assume missing afflicted version number == safe package. I have been given no details or updates from npm about the status of anything so please remain vigilant.

08 Sep 2025 19:17 CEST

I've received first contact from NPM. They have told me they are aware of the breach and are working to remove the packages, but have not specified any details beyond that.

They have asked if I still have a CLI session to switch my account; that was the first thing I tried, all tokens were immediately revoked.

Awaiting further comms.

08 Sep 2025 18:59 CEST

No communication from NPM still. I still have no access to the account. Packages are still to be considered compromised.

I have emailed and called Porkbun to escalate the abuse complaint as far as possible. The amount of work that went into this phish is somehow both horrifying and a little flattering. I'd like to think it was just for me.

08 Sep 2025 17:35 CEST

Hello, thanks. Actually found out about this on bluesky.

Yes, I've been pwned. First time for everything, I suppose. It was a 2FA reset email that looked shockingly authentic. I should have paid better attention, but it slipped past me. Sincerely sorry, this is embarrassing.

I've been locked out of my account on npm. I'm awaiting support's response to me. If someone at NPM is able to get in contact with me to escalate, ticket number is 3738263.
NPM is only affected. It was a personal account. Repositories are not affected.
The email came from support at npmjs dot help.

All affected packages:

There might be others; these are just the ones I got email notifications for.

@sindresorhus has already published over anything under @chalk and has booted me off.

This appears targeted, or at least with a filter for high downloads. Many other packages on my account are untouched.

Rest assured I'll be dealing with this all day; still waiting on npm. Sorry everyone.

Sep 08 '25 15:09 Qix-

Is it just version 4.4.2? The GitHub advisory says all versions > 0 but not sure.

Sep 08 '25 15:09 joeattardi

Is it just version 4.4.2? The GitHub advisory says all versions > 0 but not sure.

Yeah, seems this is the case

Sep 08 '25 15:09 rayhankinan

More info about the malware here https://github.com/chalk/chalk/issues/656

Sep 08 '25 15:09 sindresorhus

FYI: It looks like the npm team took version 4.4.2 down from the npm registry a few minutes ago 💪🏼 I was lucky enough to install the dependency when version 4.4.2 wasn't available anymore.

Sep 08 '25 15:09 davidepedranz

Thanks for the update about that, npm still hasn't responded to me.

Sep 08 '25 15:09 Qix-

Yes, can confirm that node_modules/simple-swizzle/index.js version 0.2.3 is infected. Use grep -r "const _0x112" node_modules to scan your node_modules.

Sep 08 '25 15:09 BitR13x

Is it just version 4.4.2? The GitHub advisory says all versions > 0 but not sure.

I created an issue to solve this https://github.com/github/advisory-database/issues/6098

Hope it will be updated soon so we can continue to keep calm and pin our dependencies

Sep 08 '25 16:09 hpierre74

Any advice for us who previously installed this package? Are passwords, bank accounts and other stuff in danger

Sep 08 '25 16:09 vougioukakis

My suggestion for something this serious is to remove the affected packages and monitor your accounts. This vector is too wide for a simple recommendation on mitigation tactics.

Sep 08 '25 16:09 caretak3r

Any advice for us who previously installed this package? Are passwords, bank accounts and other stuff in danger

https://github.com/chalk/chalk/issues/656#issuecomment-3266894253

https://github.com/chalk/chalk/issues/656#issuecomment-3266900029

Check these two for the full analysis. If you did not run this in browser, you're most likely safe.

You can also run rg -u _0x112fa8 inside your project to see if you're infected, as mentioned in this comment.

Sep 08 '25 16:09 phxgg

FYI: It looks like the npm team took version 4.4.2 down from the npm registry a few minutes ago 💪🏼 I was lucky enough to install the dependency when version 4.4.2 wasn't available anymore.

Confirmed

Sep 08 '25 16:09 CodeTechNL

Any advice for us who previously installed this package? Are passwords, bank accounts and other stuff in danger

chalk/chalk#656 (comment)

chalk/chalk#656 (comment)

Check these two for the full analysis. If you did not run this in browser, you're most likely safe.

You can also run rg -u _0x112fa8 inside your project to see if you're infected, as mentioned in this comment.

What do you mean run this in browser? Does this mean i simply have to reset all my passwords that are saved in the browsers?

Sep 08 '25 16:09 vougioukakis

@vougioukakis If I understand this correctly, it's not a credential stealer, but it maps any Crypto wallet ids to the ids of the attacker, so they effectively syphon off funds, when you send crypto.

This means that the attack targeted crypto apps and platforms. It also seems like to only ran in the browser engine, not in nodeJS.

Sep 08 '25 16:09 AxelRothe

Any advice for us who previously installed this package? Are passwords, bank accounts and other stuff in danger

chalk/chalk#656 (comment) chalk/chalk#656 (comment) Check these two for the full analysis. If you did not run this in browser, you're most likely safe. You can also run rg -u _0x112fa8 inside your project to see if you're infected, as mentioned in this comment.

What do you mean run this in browser? Does this mean i simply have to reset all my passwords that are saved in the browsers?

By running in browser I mean that you used any of the compromised dependencies, in this case debug, in an application that runs in the browser. The malware uses window, which is not available in a NodeJS app. Also, your credentials are most likely safe. In simple terms, what this seems to be doing is hook onto fetch and XMLHttpRequest and tries to replace crypto addresses so they point to the ones provided by the attacker.

However, nothing is for sure yet. I'd suggest you read the updates in this issue and if you feel like you've been compromised go ahead and do change your passwords.

Sep 08 '25 16:09 phxgg

If I understand this correctly, it's not a credential stealer, but it maps any Crypto wallet ids to the ids of the attacker, so they effectively syphon off funds, when you send crypto.

@AxelRothe assume nothing yet because we don't know the full impact. All we know right now is that an account was hacked and packages are compromised. If you were affected, safest bet is to assume all information that could be stolen is stolen.

Sep 08 '25 16:09 shusson

@shusson Yes. I said, "seems" not is. This is an ongoing development.

Sep 08 '25 16:09 AxelRothe

This was caught in our case before making it to production because the version was pulled just in time to make the CI workflow fail because it couldn't find the 4.4.2 version - lucky catch!

I'm a little bit stressed about this right now and I'm having trouble parsing the situation, so sorry if I'm asking dumb questions.

Any advice for us who previously installed this package? Are passwords, bank accounts and other stuff in danger

chalk/chalk#656 (comment)

chalk/chalk#656 (comment)

Check these two for the full analysis. If you did not run this in browser, you're most likely safe.

You can also run rg -u _0x112fa8 inside your project to see if you're infected, as mentioned in this comment.

I did not run this in a browser, I did however execute tests on my local machine with vitest containing the code. Does that have any consequences for

my system going forward
my credentials, secrets etc, browser-based or otherwise
my Node installation
my IDE
anything I didn't think off?

Github is basically saying full control of your computer might have been given to someone else and advising to nuke your computer https://github.com/advisories/GHSA-8mgj-vmr8-frr6 But first analysis I'm reading here and in the chalk comments don't seem to indicate that at all. I'm just trying to figure out what the best course of action is here, because it'd be a really inconvenient time to nuke everything and reset all credentials I have.

Sep 08 '25 16:09 SpoonOfDoom

It's a cryptocurrency (Etherum) drainer, for info. I'm running a thread on Mastodon: https://cyberplace.social/@GossiTheDog/115169390397282254

Sep 08 '25 16:09 GossiTheDog

Seems to be not too bad to be honest. It does not seem like any passwords, ... are getting leaked. It looks like a malware which replaces the "receiver" eth/btc/ltc/crypto adress with the attackers one. If you don't have any crypto wallet installed, you should be good to go after removing the affected packages/version.

See my blog post here: https://jdstaerk.substack.com/p/we-just-found-malicious-code-in-the

Sep 08 '25 16:09 jdstaerk

Hi all,

Do we know the availability slot of this corrupted version ? (some hours only ?) When removed from npm registry, no more info available unfortunately.... :(

Sep 08 '25 16:09 rsi21

Github is basically saying full control of your computer might have been given to someone else and advising to nuke your computer https://github.com/advisories/GHSA-8mgj-vmr8-frr6 But first analysis I'm reading here and in the chalk comments don't seem to indicate that at all. I'm just trying to figure out what the best course of action is here, because it'd be a really inconvenient time to nuke everything and reset all credentials I have.

@SpoonOfDoom At this time, the github advisory is the safest option. Malicious of code was downloaded to your computer. What that code does is secondary to fixing the problem, i.e deleting the impacted packages. In a couple days we'll have a better idea. But you need to do your own risk assessment.

Sep 08 '25 16:09 shusson

FYI: It looks like the npm team took version 4.4.2 down from the npm registry a few minutes ago 💪🏼 I was lucky enough to install the dependency when version 4.4.2 wasn't available anymore.

the debug 4.4.2 was taken down, but still the simple-swizzle 0.2.3 is online and infected https://www.npmjs.com/package/simple-swizzle?activeTab=code ... index.js

Sep 08 '25 16:09 BitR13x

The IOC shared by @BitR13x was added as YARA rule to https://otx.alienvault.com/pulse/68bf031ee0452072533deee6

Sep 08 '25 16:09 bf

This was caught in our case before making it to production because the version was pulled just in time to make the CI workflow fail because it couldn't find the 4.4.2 version - lucky catch!

I highly recommend to add a simple npm audit check in your CI that run on PR pushes in addition to pinning all your dependencies (remove ^ and latest if that's even a thing)

The simplest example to run in a Github Action since npm audit exits 1 when it finds one vulnerability of the given audit leve:

- name: Fail on high/critical vulnerabilities
  run: npm audit --audit-level=high

You can always use the --json version if you want to handle a whitelist if needed

Sep 08 '25 16:09 hpierre74

Deployment script for execution on managed endpoints (via CrowdStrike or any MDM), integrated with Slackbot to provide real-time notifications when indicators of compromise (IOCs) are detected. Tested on MacOS

#!/bin/bash
# detect_infection.sh
# Greps for a suspicious JS token and, if found, notifies Slack with the hostname.

set -euo pipefail

# --- CONFIG ---
SLACK_WEBHOOK_URL="https://hooks.slack.com/services/XXX/YYY/ZZZ"  # <-- replace
PATTERN='const _0x112'

# Search scope: tune for performance; add/remove paths as needed
SEARCH_PATHS=(
  "/Users"           # user home dirs
  "/Applications"    # app bundles
)

# Skip heavy/noisy dirs to keep it fast. Add more as needed.
EXCLUDES=(
  "Library"
  ".git"
  "Pods"
  "DerivedData"
)

# --- IMPLEMENTATION ---
HOSTNAME="$(scutil --get ComputerName 2>/dev/null || hostname -s || hostname)"
TMP_RESULTS="$(mktemp)"

# Build --exclude-dir args for grep (BSD grep supports multiple --exclude-dir)
EX_ARGS=()
for d in "${EXCLUDES[@]}"; do
  EX_ARGS+=("--exclude-dir=${d}")
done

# Recursive, text-only, list matching files (-l), suppress binary (-I)
# 2>/dev/null to ignore permission noise. Limit output for safety.
grep -RIl -n -I "${EX_ARGS[@]}" -- "${PATTERN}" "${SEARCH_PATHS[@]}" 2>/dev/null \
  | head -n 1000 > "${TMP_RESULTS}" || true

if [[ -s "${TMP_RESULTS}" ]]; then
  # Found at least one match -> Slack notify (short message per request)
  INFECTED_MSG="This machine is infected: ${HOSTNAME}"
  # Send minimal JSON without relying on jq
  /usr/bin/curl -sS -X POST -H 'Content-Type: application/json' \
    --data "{\"text\":\"${INFECTED_MSG}\"}" \
    "${SLACK_WEBHOOK_URL}" >/dev/null || true

  echo "INFECTED: $(wc -l < "${TMP_RESULTS}") match(es) on ${HOSTNAME}"
  # Optional: also print first few hits to RTR output for triage
  head -n 20 "${TMP_RESULTS}"
else
  echo "CLEAN: no matches on ${HOSTNAME}"
fi

rm -f "${TMP_RESULTS}"
exit 0

Sep 08 '25 16:09 kljunowsky

Trying to keep track of everything. Is the recommended course of action still to basically rotate all passwords and credentials in addition to removing the infected package(s)? I was attempting to update some npm dependencies on a VM when the malicious package was installed.

Should be easy enough for me to throw away that VM and setup a new one, but I don’t want to do all that if removing the files is enough.

Appreciate everyone moving quick on this issue.

Sep 08 '25 16:09 Cjameek

(RESOLVED) Version 4.4.2 published to npm is compromised

MESSAGE FROM @Qix- : PLEASE SEE https://github.com/debug-js/debug/issues/1005#issuecomment-3266868187 FOR LATEST UPDATES.

Other maintainers have been affected. Stay vigilant.