qix npm Account Compromise

September 2025 phishing compromise of npm maintainer 'qix' that hijacked 18 ultra-popular packages (chalk, debug, ansi-styles, strip-ansi and more, 1B+ weekly downloads) to inject a browser-based crypto wallet address swapper.

discovered 2025-09-08

↓ JSON ↓ CSV

Objective

Hijack cryptocurrency transactions in the browser by swapping destination wallet addresses.

Packages

npmansi-stylesattributed-to
npmdebugattributed-to
npmchalkattributed-to
npmsupports-colorattributed-to
npmstrip-ansiattributed-to
npmansi-regexattributed-to
npmwrap-ansiattributed-to
npmcolor-convertattributed-to
npmcolor-nameattributed-to
npmis-arrayishattributed-to
npmslice-ansiattributed-to
npmerror-exattributed-to
npmcolor-stringattributed-to
npmsimple-swizzleattributed-to
npmsupports-hyperlinksattributed-to
npmhas-ansiattributed-to
npmchalk-templateattributed-to
npmbackslashattributed-to

Indicators

sha1fc4a4858bafef54d1b1d7697bfb5c52f4c166976indicates
md519111111111111111111111111111111indicates
wallet0x66a9893cC07D91D95644AEDD05D03f95e1dBA8Afexfiltrates-to
wallet0x10ed43c718714eb63d5aa57b78b54704e256024eexfiltrates-to
wallet0x13f4ea83d0bd40e75c8222255bc855a974568dd4exfiltrates-to
wallet0x1111111254eeb25477b68fb85ed929f73a960582exfiltrates-to
wallet0xd9e1ce17f2641f24ae83637ab66a2cca9c378b9fexfiltrates-to
wallet0xfc4a4858bafef54d1b1d7697bfb5c52f4c166976exfiltrates-to
wallet0x66a9893cc07d91d95644aedd05d03f95e1dba8afexfiltrates-to
wallet0xFc4a4858bafef54D1b1d7697bfb5c52F4c166976exfiltrates-to
wallet0xa29eeFb3f21Dc8FA8bce065Db4f4354AA683c024exfiltrates-to
wallet0x40C351B989113646bc4e9Dfe66AE66D24fE6Da7Bexfiltrates-to

Techniques

ttpT1195.001 Supply Chain Compromise: Compromise Software Dependencies and Development Toolsuses
ttpT1059.007 Command and Scripting Interpreter: JavaScriptuses
ttpT1041 Exfiltration Over C2 Channeluses
ttpT1552.004 Unsecured Credentials: Private Keysuses
ttpT1105 Ingress Tool Transferuses

Read the full analysis →