Threat Intelligence Update: Node.js Compromise Events

Editor’s note: This is an emergent story, and therefore some information may become outdated quickly.  Additional updates will be made to this story as new intelligence and information becomes available. 

Update: September 17, 2025 – the current list of known and/or suspected NPM packages has dramatically increased and continues to grow. Pondurance recommends that anyone wishing to see the most up-to-date list of packages visit StepSecurity’s threat intelligence page for the most recent updates. Pondurance continues to monitor the list of packages known or suspected to be compromised for potential customer impact.

Initial article: September 16, 2025 - 13:00 Eastern US

Multiple news agencies and threat intelligence organizations have reported on an evolving set of threat activities that began on or about September 8, 2025. A well-known and respected developer of software components within the Node.JS community (a JavaScript runtime environment) using the username “qix-” (real name: Josh Junon) fell victim to a phishing attack, and temporarily lost control of his code repositories. This compromise included the code for several broadly-used packages like “chalk” and others. As these packages were used in a significant number of other developers’ codebases, the infected versions of these packages made their way into potentially hundreds of platforms, tools, and products from multiple developers and vendors. On or about September 15, 2025; these compromised packages were discovered to be able to compromise other packages within the same NPM tenancy where they had been incorporated/installed. While the total number of impacted products and software tools is unknown at this time, about 18 packages managed/maintained by qix- were confirmed to be compromised, with as many as 40 other packages suspected to have been impacted, these numbers are likely to increase over time as more information is received. The nature of the malicious code (and its ability to self-propagate) makes defining total numbers and scope difficult at best. 

What happened:

qix- received a malicious email designed to trick a user into revealing credentials and other login information (phishing). Through interacting with the email and subsequent site logins, attackers gained control of tokens used to grant access to code libraries controlled by qix- on the NPM code management platform. This platform, used by thousands of developers, does use modern and secure techniques to avoid this kind of incursion. qix- was deceived into believing that his Multi-Factor Authentication (MFA) tokens for NPM had been invalidated, and during the process of resetting these tokens, the threat actors were able to obtain fraudulent access to his NPM account.

From there, the attackers inserted malicious code into multiple otherwise legitimate packages which were in use by thousands (and potentially millions) of developers around the world. This malicious code, when run, would seek out additional access tokens of whichever developer used the infected packages in their own NPM tenancies. Once additional tokens were acquired, the malicious code then copied itself into other packages maintained by the same developer, essentially converting these packages into additional infection vectors for more and more NPM accounts and repositories. When these newly-infected packages were then used by additional developers, the cycle continued. The full extent of this self-propagation is not yet fully defined, but Pondurance Threat Intelligence is watching the situation closely.

Additionally, it is suspected that some of the infected packages downloaded additional malicious code capable of stealing cryptocurrency transactions and wallet information. This has yet to be confirmed as part of this specific incident, and may be attributed to a prior, similar, incident. 

Who performed the attack:

The identity of the threat actors is currently unknown, with only some overall indicators tying the instances of compromise and attack together. First, the NPM packages containing malicious code appear to have originated from the compromised packages originally accessed via the attack on qix-. Secondly, all of the most recently compromised packages attempt to perform operations such as token extraction and exfiltration to a public repository labeled as “Shai-Hulud” and attempt to propagate to other packages if/when possible. The points of commonality do indicate a single threat actor/threat group is responsible for the overall sequence of attacks since September 7th/8th, but this has yet to be verified. It is also possible that multiple threat actors are using the same root code packages.  

What should be done to protect against/contain the attack:

Pondurance customers should consult with their Technical Account Manager to determine if any suspicious activity has been detected within their organizations’ networks.  

All organizations should determine if developers have used any packages created and/or maintained by qix- within their own software, repositories, plugins, and/or other NPM packages. The inclusion of a “bundle.js” bundle that is not expected to be part of the package is an early Indicator of Compromise (IOC). The current list of known compromised qix- packages follows, though this is subject to change. 

If any of these packages, any packages which have had a “bundle.js” bundle added, or any others known or suspected to be developed/maintained by qix- are in use, upgrade to the latest versions of these packages immediately. All code housed within the same repositories as any code using any of these packages must be considered suspect, and an immediate code review must be undertaken to verify that the packages are clean, or remediation efforts must be taken. 

All organizations should closely monitor security news and updates from vendors of any applications used in their environments. More vendors will be issuing updates to software and tools over the coming days as those vendors discover that one or more infected packages were incorporated into their own code. Any software updates available should be applied as quickly as possible - even if this could cause a disruption to business operations. The ability of these infected packages to gain additional malicious components at a future point means that any compromised software can become a launchpad for malware without warning, so updates should be classified as critical/highest priority.

What Pondurance is doing:

Pondurance staff is tracking vendor advisories; at this time we have not seen reputable confirmation that named security products were compromised via this npm incident. The Pondurance team will continue to evaluate the situation in the coming days/weeks as a high-priority/high-severity situation, and remediate accordingly whenever a compromised package may have been utilized anywhere in the Scope platform or other areas of Pondurance technology. Information on current status can be obtained through your Pondurance TAM and/or through the “Recent Announcements” section of the Scope dashboard. 

Any Pondurance customer should feel free to reach out to their Technical Account Manager, or contact Pondurance staff through the Scope dashboard. This post will be updated with new information and intelligence as it becomes available.