Multiple npm packages have been compromised as part of a software supply chain attack after a maintainer’s account was compromised in a phishing attack.
The attack targeted Josh Junon (aka Qix), who received an email message that mimicked npm (“support@npmjs[.]help”), urging them to update their update their two-factor authentication (2FA) credentials before September 10, 2025, by clicking on