At least 18 popular JavaScript code packages that are collectively downloaded more than two billion times each week were briefly compromised with malicious software today, after a developer involved in maintaining the projects was phished. The attack appears to have been quickly contained and was narrowly focused on stealing cryptocurrency. But experts warn that a similar attack with a slightly more nefarious payload could quickly lead to a disruptive malware outbreak that is far more difficult to detect and restrain.

⁨https://krebsonsecurity.com/2025/09/18-popular-code-packages-hacked-rigged-to-steal-crypto/

The story includes perspectives from ⁨@GossiTheDog⁩ who has been following this saga all day today w/ updates here:

⁨https://cyberplace.social/@GossiTheDog/115169881407789957

Also comment and information from Josh Junon, who quickly replied that he was aware of having just been phished:

https://news.ycombinator.com/item?id=45169794

For an impact assessment, consider that 2 billion downloads per week translates to 24 million downloads in two hours.