Hello and welcome to the Tuesday, September 9th, 2025 edition of the Sands Internet Storm Center's Stormcast.

My name is Johannes Ulrich, recording today from Jacksonville, Florida.

And this episode is brought to you by the sands.edu graduate certificate program

in industrial control systems security. Today, I do want to do things a little bit different.

Usually I start with the diary of the day, but there has been a major compromise of NPM libraries.

So I want to give that a little bit of more prominent position.

The issue here is that in particular one developer,

he goes in NPM under QIX or Quix, Joss Junon,

has been affected by this particular compromise, and as a result, some major, major

NPM libraries have been compromised.

So, for example, the Error-EX library with 47 million downloads per week.

The color name with 199 million downloads per week,

many, many other libraries sort of in the millions of downloads per week range

have been compromised and have been infected,

if you want to call it that way, or substitute it,

with libraries that are including

browser hijack functions. The hijacked libraries are essentially intercepting calls to XMLHP

request and fetch. They're looking for requests that are then going to crypto coin-related domains and are replacing them with sort of, again, look-alike domains and with the goal of intercepting things like crypto-coin keys and usernames, passwords, and the like.

So that appears to be the main motivation behind this attack. Now, how can

something like this happen to a major developer like this? Well, the problem here was yet again

phishing. The email came from support at npmj.js. dot help. The normal domain would be a dot com domain,

but of course the attacker owns the domain,

...