The Great NPM Heist - September 2025
Check Point, Wednesday, September 10th, 2025
The JavaScript ecosystem experienced what is now considered the largest supply chain attack in npm history. A sophisticated phishing campaign led to the compromise of a trusted maintainer's account, resulting in the injection of cryptocurrency-stealing malware into 18+ foundational npm packages.
These packages collectively accounted for over 2 billion weekly downloads, affecting millions of applications globally-from personal projects to enterprise-grade systems.
Following the discovery of the breach, the npm team began removing several of the malicious package versions published by the attackers, including the compromised debug package, which alone sees over 357 million downloads each week.