{"campaign":{"name":"qix npm Account Compromise","slug":"qix-npm-account-compromise","href":"/ti/campaigns/qix-npm-account-compromise","description":"September 2025 phishing compromise of npm maintainer 'qix' that hijacked 18 ultra-popular packages (chalk, debug, ansi-styles, strip-ansi and more, 1B+ weekly downloads) to inject a browser-based crypto wallet address swapper.","objective":"Hijack cryptocurrency transactions in the browser by swapping destination wallet addresses.","aliases":[],"discovered_at":"2025-09-08"},"packages":[{"ecosystem":"npm","name":"ansi-styles","href":"/ti/packages/npm/ansi-styles","threat_types":["crypto_drainer"],"versions":["6.2.2"]},{"ecosystem":"npm","name":"debug","href":"/ti/packages/npm/debug","threat_types":["crypto_drainer"],"versions":["4.4.2"]},{"ecosystem":"npm","name":"chalk","href":"/ti/packages/npm/chalk","threat_types":["crypto_drainer"],"versions":["5.6.1"]},{"ecosystem":"npm","name":"supports-color","href":"/ti/packages/npm/supports-color","threat_types":["crypto_drainer"],"versions":["10.2.1"]},{"ecosystem":"npm","name":"strip-ansi","href":"/ti/packages/npm/strip-ansi","threat_types":["crypto_drainer"],"versions":["7.1.1"]},{"ecosystem":"npm","name":"ansi-regex","href":"/ti/packages/npm/ansi-regex","threat_types":["crypto_drainer"],"versions":["6.2.1"]},{"ecosystem":"npm","name":"wrap-ansi","href":"/ti/packages/npm/wrap-ansi","threat_types":["crypto_drainer"],"versions":["9.0.1"]},{"ecosystem":"npm","name":"color-convert","href":"/ti/packages/npm/color-convert","threat_types":["crypto_drainer"],"versions":["3.1.1"]},{"ecosystem":"npm","name":"color-name","href":"/ti/packages/npm/color-name","threat_types":["crypto_drainer"],"versions":["2.0.1"]},{"ecosystem":"npm","name":"is-arrayish","href":"/ti/packages/npm/is-arrayish","threat_types":["crypto_drainer"],"versions":["0.3.3"]},{"ecosystem":"npm","name":"slice-ansi","href":"/ti/packages/npm/slice-ansi","threat_types":["crypto_drainer"],"versions":["7.1.1"]},{"ecosystem":"npm","name":"error-ex","href":"/ti/packages/npm/error-ex","threat_types":["crypto_drainer"],"versions":["1.3.3"]},{"ecosystem":"npm","name":"color-string","href":"/ti/packages/npm/color-string","threat_types":["crypto_drainer"],"versions":["2.1.1"]},{"ecosystem":"npm","name":"simple-swizzle","href":"/ti/packages/npm/simple-swizzle","threat_types":["crypto_drainer"],"versions":["0.2.3"]},{"ecosystem":"npm","name":"supports-hyperlinks","href":"/ti/packages/npm/supports-hyperlinks","threat_types":["crypto_drainer"],"versions":["4.1.1"]},{"ecosystem":"npm","name":"has-ansi","href":"/ti/packages/npm/has-ansi","threat_types":["crypto_drainer"],"versions":["6.0.1"]},{"ecosystem":"npm","name":"chalk-template","href":"/ti/packages/npm/chalk-template","threat_types":["crypto_drainer"],"versions":["1.1.1"]},{"ecosystem":"npm","name":"backslash","href":"/ti/packages/npm/backslash","threat_types":["crypto_drainer"],"versions":["0.2.1"]}],"indicators":[{"kind":"sha1","value":"fc4a4858bafef54d1b1d7697bfb5c52f4c166976","href":"/ti/ioc/sha1/fc4a4858bafef54d1b1d7697bfb5c52f4c166976","context":"SHA-1/commit-like hash from blog post"},{"kind":"md5","value":"19111111111111111111111111111111","href":"/ti/ioc/md5/19111111111111111111111111111111","context":"MD5 hash from blog post"},{"kind":"wallet","value":"0x66a9893cC07D91D95644AEDD05D03f95e1dBA8Af","href":"/ti/ioc/wallet/0x66a9893cC07D91D95644AEDD05D03f95e1dBA8Af","context":"Cryptocurrency wallet address from blog post"},{"kind":"wallet","value":"0x10ed43c718714eb63d5aa57b78b54704e256024e","href":"/ti/ioc/wallet/0x10ed43c718714eb63d5aa57b78b54704e256024e","context":"Cryptocurrency wallet address from blog post"},{"kind":"wallet","value":"0x13f4ea83d0bd40e75c8222255bc855a974568dd4","href":"/ti/ioc/wallet/0x13f4ea83d0bd40e75c8222255bc855a974568dd4","context":"Cryptocurrency wallet address from blog post"},{"kind":"wallet","value":"0x1111111254eeb25477b68fb85ed929f73a960582","href":"/ti/ioc/wallet/0x1111111254eeb25477b68fb85ed929f73a960582","context":"Cryptocurrency wallet address from blog post"},{"kind":"wallet","value":"0xd9e1ce17f2641f24ae83637ab66a2cca9c378b9f","href":"/ti/ioc/wallet/0xd9e1ce17f2641f24ae83637ab66a2cca9c378b9f","context":"Cryptocurrency wallet address from blog post"},{"kind":"wallet","value":"0xfc4a4858bafef54d1b1d7697bfb5c52f4c166976","href":"/ti/ioc/wallet/0xfc4a4858bafef54d1b1d7697bfb5c52f4c166976","context":"Cryptocurrency wallet address from blog post"},{"kind":"wallet","value":"0x66a9893cc07d91d95644aedd05d03f95e1dba8af","href":"/ti/ioc/wallet/0x66a9893cc07d91d95644aedd05d03f95e1dba8af","context":"Cryptocurrency wallet address from blog post"},{"kind":"wallet","value":"0xFc4a4858bafef54D1b1d7697bfb5c52F4c166976","href":"/ti/ioc/wallet/0xFc4a4858bafef54D1b1d7697bfb5c52F4c166976","context":"Cryptocurrency wallet address from blog post"},{"kind":"wallet","value":"0xa29eeFb3f21Dc8FA8bce065Db4f4354AA683c024","href":"/ti/ioc/wallet/0xa29eeFb3f21Dc8FA8bce065Db4f4354AA683c024","context":"Cryptocurrency wallet address from blog post"},{"kind":"wallet","value":"0x40C351B989113646bc4e9Dfe66AE66D24fE6Da7B","href":"/ti/ioc/wallet/0x40C351B989113646bc4e9Dfe66AE66D24fE6Da7B","context":"Cryptocurrency wallet address from blog post"}],"ttps":[{"name":"Supply Chain Compromise: Compromise Software Dependencies and Development Tools","mitre_attack_id":"T1195.001","href":"/ti/ttps/T1195.001"},{"name":"Command and Scripting Interpreter: JavaScript","mitre_attack_id":"T1059.007","href":"/ti/ttps/T1059.007"},{"name":"Exfiltration Over C2 Channel","mitre_attack_id":"T1041","href":"/ti/ttps/T1041"},{"name":"Unsecured Credentials: Private Keys","mitre_attack_id":"T1552.004","href":"/ti/ttps/T1552.004"},{"name":"Ingress Tool Transfer","mitre_attack_id":"T1105","href":"/ti/ttps/T1105"}],"related_campaigns":[],"reports":[{"title":"npm Supply Chain Attack: Multiple Popular Packages Hijacked (1B+ Weekly Downloads)","url":"https://safedep.io/multiple-npm-packages-compromised-billion-downloads","published_at":"2025-09-08"}]}