In early September 2025, one of the largest supply chain attacks in cybersecurity history resulted in as many as 20 popular npm packages being compromised, with a combined 2.67 billion weekly downloads.
The supply chain attack originated from a sophisticated phishing campaign targeting npm maintainer Josh Junon (qix) and other developers. The campaign resulted in a malicious code injection designed to hijack cryptocurrency wallet transactions across multiple blockchain networks.
What makes this NPM-targeted phishing campaign stand out is not just the scale of its impact, but the deliberate effort by attackers to leave behind no conventional red flags. In Varonis’ simulation of the attack, we saw how the campaign combined clean infrastructure with AI-assisted content generation to evade traditional email defenses.
Continue reading for more details of how the attack works, what makes it dangerous, and how you can catch phishing emails like this in your organization.
Why this phishing attack is especially dangerous
The combination of clean email infrastructure and AI-assisted content generation are two key elements that allowed the threat actor to evade traditional email defenses.
Let’s take a deeper look.
Clean email infrastructure
The phishing email wasn’t sent from a shady, misconfigured relay. Instead, it came through a domain (npmjs[.]help) set up with precision:
- SPF, DKIM, and DMARC all passed
- Authentication results looked legitimate at a glance:
- Authentication-Results: aspmx1.migadu.com;
- dkim=pass header.d=smtp.mailtrap.live header.s=rwmt1 header.b=Wrv0sR0r;
- dkim=pass header.d=npmjs.help header.s=rwmt1 header.b=opuoQW+P;
- spf=pass smtp.mailfrom=ndr-cbbfcb00-8c4d-11f0-0040-f184d6629049@mt86.npmjs.help;
- dmarc=pass (policy=none) header.from=npmjs.help
- The sending IP address wasn’t listed in any major spam blocklist (MXToolbox check)
In other words, from an infrastructure perspective, the email appeared “clean” and trustworthy.
AI-assisted phishing content
Where older phishing campaigns often gave themselves away through sloppy English, this one leaned on AI-generated text with an estimated 70–80% likelihood of AI assistance.
Key markers we observed:
- Polished, formal tone: Grammatically clean, no typos, no awkward phrasing.
- Generic corporate language: Phrases like “ongoing commitment to account security” or “at your earliest convenience”— textbook examples of templated AI phrasing.
- No personalization: The email avoided names, account details, or unique identifiers, keeping the content generic and reusable.
This made the email both professional-looking and harder to spot by humans and rule-based filters.
The result of these techniques? Over 2.6 billion downloads of the malicious packages in the week of September 1, 2025.
Figure 1: Malicious package downloads. 2.67 billion the week of September 1, 2025.
Figure 1: Malicious package downloads. 2.67 billion the week of September 1, 2025.
To truly put it in perspective, these packages were downloaded more than 130.765 billion times across all versions. The additional malicious code implements a multi-chain cryptocurrency interceptor targeting six major blockchain networks:
- Ethereum (ETH)
- Bitcoin (BTC)
- Solana (SOL)
- Tron (TRX)
- Litecoin (LTC)
- Bitcoin Cash (BCH)
It also has the regex for identifying each blockchain:
The malicious code contains extensive hardcoded address lists for each cryptocurrency, with a total of 280 crypto wallets distributed equally.
The main function responsible for the core wallet hijacking component that implements a "stealth proxy" to intercept Web3 wallet transactions.
At the time of our publication, the main Ethereum wallet has $434.75 USD,
0xFc4a4858bafef54D1b1d7697bfb5c52F4c166976. The additional $70 appears in several other related wallets, with the attacker successfully stealing $504. We expect the total amount to grow into the low thousands.
Crypto Malware Stealer
The malicious package versions contain obfuscated JavaScript that silently injects a browser-side interceptor into frontend bundles. Upon page load, the code activates within the user's browser and wraps critical web APIs, including:
- fetch()
- XMLHttpRequest
- window.ethereum.request() (Ethereum wallet interface)
Solana wallet methods like solana_signTransaction and solana_signAndSendTransaction
This strategic hooking places the malware between the application and both the network and the wallet, enabling complete visibility and control over outbound requests and signed transactions.
Once active, the malware performs real-time inspection of API responses and transaction payloads, scanning for blockchain addresses across multiple cryptocurrencies.
If a money-moving action is detected — such as a transfer or token approval — the malware silently rewrites the recipient, spender, or approval target to attacker-controlled addresses. To maintain stealth, it uses lookalike substitutions based on the Levenshtein distance algorithm, ensuring the altered address visually resembles the original.
It also detects interactions with decentralized exchanges such as Uniswap, PancakeSwap, and SushiSwap, and stealthily modifies the transaction payload to redirect swapped funds to attacker-controlled addresses.
It even manipulates ERC-20 token approvals by maximizing the allowance (e.g., using f.repeat(64)), allowing the attacker to drain tokens later without further user interaction. Because these changes occur before the user signs the transaction, victims may unknowingly approve or send funds to the attacker while the interface appears completely normal.
How phishing campaigns become successful
Preparation is the key for a successful phishing campaign. For example, the steps include:
- Collecting a list of targets – NPM Package developers, whose emails are publicly available.
- Buy a domain – npmjs[.]help in our case, 3 days before launching the campaign.
- Set up a mail server – support@npmjs[.]help – in our case.
- Copy the original target site.
- Prepare a legitimate-looking phishing email, preferably with LLM and legit links.
- Wait for the bite on the (f)ishing pole.
Let’s break that down further:
Npmjs[.]help is a copy of the original nmpjs.com and can still be found in wayback machine:
The domain npmjs.help was registered on September 5, 2025, through the registrar Porkbun, LLC. It is still in an addPeriod (initial registration phase) and has multiple restrictive statuses like clientHold, clientTransferProhibited, and clientDeleteProhibited, which usually means it’s either inactive, under review, or restricted from being transferred or deleted. If not renewed, the domain will expire on September 5, 2026.
The phishing mail:
As mentioned by Josh Junon, a well-known developer of NPM packages, also noted how legitimate phishing looked.
It is worth mentioning that the "contact us" link in the mail actually links to the legitimate npmjs.com contact us page, making it appear even more legit.
Credential theft
The main deobfuscated JavaScript that is responsible for the credential theft, sending them to websocket-api2[.]publicvm.com:
The fake NPM page captures the username and password.
Next, intercept the 2FA.
Steal the recovery codes:
Finally, send the data to the attacker's server-side function.
The full ‘params’ format includes username, password, and 2fa token:
In case of recovery codes, it would be:
The answer is simple: fight AI with AI.
Traditional indicators — failed SPF, misspellings, blacklisted IPs — are no longer enough. Instead, detection must pivot to contextual, linguistic, and visual analysis.
In our lab, we detected this phishing attempt with extremely high success rates thanks to a multi-layered AI-driven approach:
Context analysis via relationship graphs
- Unknown sender.
- Domain (npmjs.help) had no prior communication history.
- No prior IT related discussion between the sender and receiver
Natural language analysis
- Classified as a 2FA reset request (the Intent)
- Stylistic markers matched patterns common in AI-generated phishing emails.
Phishing site analysis
- The site was a pixel-perfect replica of the legitimate NPM login page.
- In our Phishing Sandbox, AI visually and linguistically compared it with the real npmjs.com.
- Since the certificate and URL didn’t match, it was flagged as phishing even though visually it was indistinguishable.
Bottom line: The NPM hijacking campaign proved that attackers are now capable of building phishing operations that look flawless on the surface. But by applying AI-driven context, language, and site analysis, we can still reliably detect and stop them.
Recommendations and conclusion
Currently, all known infected packages have been rolled back or updated. Varonis Threat Labs recommends you ensure your org has the latest clean version from the list below:
As of our publication, no other well-known developers have reported being targeted or compromised. However, we don't need to imagine how dangerous just “one” phishing email can be.
For example, Mrasup, coliff, shakee93, and ebrandel are packages with thousands of weekly downloads. The vue-toasted package by ebrandel recieves 42K weekly downloads alone.
This story serves as a stark reminder that it is not the first nor the last time we will see more legitimate phishing campaigns from today’s threats. A few months ago, another domain with similar phishing caused a hijack of an NPM package and affected “just” 7 packages — including eslint packages with ~62M weekly downloads to drop additional malware.
To continue learning about the evolving threat landscape, read more Varonis Threat Labs content. If you believe your organization has been affected by phishing and are not a Varonis customer, please contact our team for assistance.
