The Day npm Broke: How a Phishing Email Turned 2.6 Billion Weekly Downloads into a Supply Chain Weapon
On September 8, 2025, attackers republished 18 popular npm packages—including Chalk, Debug and Strip-ANSI—adding malicious code that targeted Web3 wallets. The phishing-driven breach exposed how a single compromised maintainer can turn 2.6 billion weekly downloads into a global supply chain weapon.
