Color NPM Package Compromised
2 days ago
- #phishing
- #npm
- #security
- On September 8, 2025, Josh Junon's npm account (qix) was compromised, leading to backdoored versions of his package being published.
- The attack was initiated via a phishing email from 'npmsj.help', which tricked Josh into resetting his 2FA.
- The payload targets browser environments, not server or developer machines, requiring specific conditions to be harmful.
- Affected packages include 'color', which has ~32 million weekly downloads, highlighting the scale of the attack.
- NPM's response has been slow, with Josh still locked out of his account and some packages remaining compromised.
- The best source for updates is Kevin Beaumont's thread on Mastodon.