... all to steal a couple dollars

Posted Sep 8, 2025 22:17 UTC (Mon) by TheJH (subscriber, #101155)
Parent article: npm debug and chalk packages compromised (Aikido)

This is a fun take on it: https://www.securityalliance.org/news/2025-09-npm-supply-... "Oops, No Victims: The Largest Supply Chain Attack Stole 5 Cents"

"Earlier today, at around 9:30 AM ET, an attacker compromised all packages published by qix, including extremely popular packages such as chalk and debug-js. Collectively, the packages have over 2 billion downloads per week, making this likely the largest supply chain attack in history."

"Despite the magnitude of the breach, the attacker appears to have only “stolen” around 5 cents of ETH and 20 USD of a memecoin with a whopping 588 USD of trading volume over the past 24 hours."

... all to steal a couple dollars

Posted Sep 9, 2025 8:19 UTC (Tue) by NAR (subscriber, #1313) [Link]

I guess the impact was very limited because ethereum and that other crypto is just not popular (and the window of vulnerability was(?) pretty short).

... all to steal a couple dollars

Posted Sep 9, 2025 12:10 UTC (Tue) by Kluge (subscriber, #2881) [Link]

That analysis would be more convincing if it didn't come from a pro-crypto site that didn't explain its estimate of the amount stolen.