DSA-2025-0901

Active supply chain attack in npm. The maintainer account "Qix" was compromised, allowing malicious releases of foundational packages (several co-maintained with Sindre Sorhus) on 2025-09-08.

The injected code is obfuscated and designed to redirect all crypto transactions to attacker-controlled endpoints. In some packages it executes during installation or first run to maximize capture.

Because these libraries sit deep in countless dependency graphs (e.g., chalk, debug, supports-color and related ansi/color utilities), the blast radius is high and indirect exposure is likely across CI and developer workstations. This appears to be a targeted campaign intended to maximize reach across the JavaScript ecosystem.

Recommended actions: remove the listed versions, reinstall from a clean lockfile, rotate potentially exposed credentials, and audit CI/CD runners and developer machines for indicators of compromise.