Security Alert | chalk, debug and color on npm compromised in new supply chain attack

In September 2025, a supply chain attack compromised several npm packages, including widely downloaded ones like "debug" and "chalk," by inserting cryptostealer malware targeting cryptocurrencies. The attack originated from a single contributor's compromised account, likely due to a phishing email, leading to the insertion of obfuscated JavaScript code in the package's index files. Despite the potential impact on millions of projects, the issue was swiftly addressed by the open-source and security communities, with many malicious packages removed from npm within an hour. Affected versions of the duckdb package were deprecated, and users were advised to avoid these versions. The incident underscores the vulnerability of supply chains to attacks and the importance of quick community response to mitigate potential damage. DuckDB announced they would skip version 1.3.3 and proceed directly to 1.4.0, while Semgrep released rules to help developers identify and mitigate vulnerabilities in their projects.