NPM Supply Chain Attack Response

Author

Stellar Development Foundation

Publishing date

Security

Developer

SDF’s Response & Status

All projects under SDF Github organization are unaffected.

SDF security and engineering teams responded immediately and found:

  • No known malicious packages in SDF projects - In addition to routine ongoing scanning, an explicit audit of all the projects under SDF Github organization was conducted (using manual and automated methods), and we found no instances of malicious package versions.
  • Proactive protection implemented - As a precautionary measure, relevant NPM project packages were pinned to last known-safe versions.

While the malicious package versions have been removed from the NPM registry, this is an evolving attack and more affected packages may be discovered. SDF will continue to monitor this evolving situation and will provide updates as needed.

What Happened

Early on the morning of September 8, 2025, a major supply chain attack was discovered in the NPM ecosystem. Malicious versions of dozens of commonly used NPM packages (as listed here and here) were published to the NPM registry. These packages have billions of downloads weekly. The attack was accomplished through a phishing attack on a popular NPM developer. Despite the massive scale, the attack was identified quickly by the community and notifications were sent out across the industry in a matter of hours.

What it did (Malicious Payload)

The methodology for this attack included passive address swapping and active transaction hijacking through a “monkey-patched” fetch and XMLHTTPRequest call. These actions were focused on attacking wallets within the Bitcoin Classic (BTC), Bitcoin Cash (BCH), Litecoin (LTC), Solana (SOL), and Ethereum (ETH) ecosystems. The Stellar network is not targeted in this malware.

Recommended Actions for the Stellar Ecosystem

For NPM Projects:

  • Audit your NPM projects to ensure you are not using malicious versions of affected packages. This can be accomplished on multiple projects using native or third party dependency scanning tools.
  • If there are any affected packages being used in a project, pin all affected packages to their last known-safe versions using the overrides feature in package.json (for projects using yarn as a package manager, the equivalent is resolutions) and rebuild. Since the list of affected packages is ever increasing, when you pin all affected packages to their last known-safe versions, ensure that other (unaffected) package versions are not updated, if possible.

Build Pipeline: Audit your build and deployment pipelines to ensure you have not downloaded and installed malicious versions of any affected package in any of your builds or releases.

For Developers: If you are a developer and locally built a project with NPM, or ran “npm” commands recently, audit your workstation to ensure that you did not download malicious versions of any affected packages on your system.