The maintainer of the well-known `chalk` package (known as “qix”) reports that they believe their NPM account was targeted to replace several packages with malicious equivalents, posing a supply-chain attack vector for any users of the packages. At the time of writing, the following packages are affected by this 0-day malware:
- ansi-styles@6.2.2
- debug@4.4.2
- chalk@5.6.1
- supports-color@10.2.1
- strip-ansi@7.1.1
- ansi-regex@6.2.1
- wrap-ansi@9.0.1
- color-convert@3.1.1
- color-name@2.0.1
- is-arrayish@0.3.3
- slice-ansi@7.1.1
- color@5.0.1
- color-string@2.1.1
- simple-swizzle@0.2.3
- supports-hyperlinks@4.1.1
- has-ansi@6.0.1
- chalk-template@1.1.1
- backslash@0.2.1
The author is updating the community via this GitHub comment thread (as always, be wary of misinformation on public threads; it’s always possible for attackers to attempt to leverage response threads to further attack goals).
These malicious packages are flagged in the Checkmarx Malicious Package product, including the Malicious Package Identification API. We suggest re-scanning all projects which rely on any of these packages to determine if any were placed into production with vulnerable versions during the window between attack and discovery.
At this time, NPM has not removed all the above packages, so it is essential to discover applications which may resolve dependencies to the affected versions and prevent them from building.
Zero Research Updates. Subscribe today!
0-day Malware steals Bitcoin and other cryptocurrency transactions
The above NPM packages were edited to include malware. The malware runs when a user visits a page containing one of the compromised versions, injecting itself into common JavaScript facilities within users’ browsers. It watches for sensitive payment data, focusing on cryptocoin transactions (including Etherium, Bitcoin and Bitcoin Cash, Litecoin, etc.), and replaces the destination data. Since this tampering occurs before the transactions are signed, this effectively steals the payment to the benefit of the attacker.
The malware includes several stealth features designed to avoid detection by users making use of crypto wallets and similar technologies. Checkmarx Zero would like to thank Aikido Security for their thorough discussion of the malicious behavior.
Indicators of compromise (IoCs)
We’ve observed the following reliable indicators of compromise. There may be others we have yet to observe.
-
ETH receiver:
0xFc4a4858bafef54D1b1d7697bfb5c52F4c166976(this may not be the only or primary address) - Huge hard-coded address lists for: ETH, BTC (1… + bc1…), TRON (T…), BCH (bitcoincash:), LTC (ltc1…, L…/M…), Solana (various prefixes).
- Global names/patterns you can grep for in your codebase:
-
stealthProxyControl,runmask,newdlocal,checkethereumw,neth,loval,rundFunction selectors:0x095ea7b3,0xd505accf,0xa9059cbb,0x23b872dd
- The long address arrays and the constant Solana pubkey
19111111111111111111111111111111
-
Why it’s effective
- Network-layer replacement poisons any page content or API payload before your app sees it.
- Wallet-layer hooking corrupts transactions at the last moment—even if your UI shows the right info—by mutating the provider call arguments preflight.
- Levenshtein “nearest match” helps the swapped addresses look plausible, making a casual review of wallet transactions ineffective: the user doesn’t see immediate signs of a problem.
Maintainer “qix” was compromised through phishing
The primary maintainer, qix, appears to have been compromised through a phishing attack that requested qix update their two-factor authentication (2FA) settings. It is unclear whether they were targeted or if this was a broader attack. The attacker made a fairly convincing message appearing to come from NPM (domain `npmjs[.]help`), and used common tactics like an appeal to urgency and fear to motivate action.
The phishing domain was recently registered (5. Sep 2025), the email appears to have been sent 8. Sep 2025; the attacker published the compromised versions immediately upon successful phishing, suggesting a well-considered attack plan designed to maximize return.
Zero Research Updates. Subscribe today!