A coordinated supply chain attack is underway targeting more than 140 npm packages, with affected packages automatically adding a dependency that resolves to a malicious version, according to SlowMist monitoring.
According to Foresight News, the impacted packages add a dependency on easy-day-js@^1.11.21 during installation, which automatically resolves to the malicious [email protected]. The malicious package triggers attacker-controlled code through installation hooks.
SlowMist said potential attacker actions include executing code during installation, maintaining persistence on Windows, macOS, and Linux, collecting browser history, inventorying cryptocurrency wallet extensions, exposing credentials or CI keys through follow-up actions, and exfiltrating data.
For systems that installed affected versions, SlowMist advised treating them as potentially compromised. Recommended steps include removing the malicious version and easy-day-js, deleting node_modules and package caches, reinstalling known clean versions using verified lockfiles, isolating affected hosts, preserving logs, removing persistence artifacts, and rotating potentially exposed credentials related to npm, GitHub, cloud services, SSH/Git, CI/CD, and wallets.
Coordinated Supply Chain Attack Targets Over 140 Npm Packages, SlowMist Says
2026-06-17 11:14:02
Disclaimer:
1. The information provided does not constitute investment advice. Investors should make independent decisions and bear all risks themselves.
2. The copyright of this content belongs to the original author. The views expressed herein are solely those of the author and do not represent the stance or position of this website.
