When One Login Shakes the Web: How 18 JavaScript Libraries Got Hijacked

A wave of malicious code briefly infiltrated 18 popular JavaScript libraries on NPM, which together receive over 2 billion weekly downloads. The breach began with a single deceptive email. Disguised as an official NPM notice, it asked a maintainer to update two-factor authentication. The message linked to a fake login page that captured a one-time token. With these stolen credentials attackers entered the maintainer’s account, changed his recovery email, and quietly pushed altered versions of widely used packages.

The inserted code targeted cryptocurrency users. It could intercept wallet activity in the browser, manipulate transaction details, and redirect assets without obvious warning. Security company Aikido flagged the tampering through automated scans of repository commits. The poisoned packages were quickly cleaned, but the incident underscored how little it takes to weaponize trusted dependencies.

Fragility of the Software Supply Chain

Specialists noted that the attackers focused on stealing crypto funds instead of attempting broader sabotage, even though access to these libraries could have enabled far more disruptive outcomes. The episode illustrates the weakness of an ecosystem where vast amounts of software depend on a handful of overworked volunteers. Each new dependency multiplies the potential attack surface and makes phishing against just one developer a global risk.

What Needs to Change

Researchers argue that maintainers should adopt stronger publishing rules. Builds should originate only from predictable continuous integration pipelines and ad-hoc uploads must be blocked. Contributors should also rely on phishing-resistant methods such as physical security keys rather than SMS or app-based tokens. Without such safeguards the integrity of the open-source supply chain remains precarious. The story is a reminder that one successful phishing email can ripple through the entire web.