Critical npm supply chain attack response - September 8, 2025

On September 8, 2025, a significant supply chain attack compromised 18 popular npm packages, including chalk, debug, and ansi-styles, by injecting malicious code designed to intercept cryptocurrency transactions in browsers. This attack was part of a coordinated effort that extended to DuckDB-related packages after the duckdb_admin account was breached. Although Vercel customers were not affected by the DuckDB incident, the company took immediate action by identifying affected projects, purging build caches, and notifying impacted customers with specific guidance. The attack originated from a phishing campaign targeting npm package maintainers, using a fraudulent domain to harvest credentials under the guise of a two-factor authentication update. Vercel emphasized strengthening supply chain security by enhancing monitoring and improving tools for rapid cache invalidation, while also advising customers to rebuild affected projects, review dependency update practices, and use npm audit and dependency scanning. The incident underscores the importance of defense-in-depth strategies, rapid detection, and response to minimize impact, with contributions from Aikido Security and the npm community playing a crucial role in addressing the compromised packages.