The Great NPM Heist – September 2025 - Check Point Blog

div On September 8, 2025, the JavaScript ecosystem experienced what is now considered the largest supply chain attack in npm history. A sophisticated phishing campaign led to the compromise of a trusted maintainer’s account, resulting in the injection of cryptocurrency-stealing malware into 18+ foundational npm packages. These packages collectively accounted for **over 2 billion weekly downloads**, affecting millions of applications globally—from personal projects to enterprise-grade systems. … ##### RecommendationscoFor developers & teams: - Use npm ci instead of npm install to enforce lockfile integrity. - Pin package versions using overrides in package.json. - Audit dependencies regularly with tools like npm audit, Snyk, or Socket.dev. - Review lockfile changes in pull requests. - Enable 2FA with hardware keys for all maintainer accounts.