npm incidents

left-pad incident (2016)

cause: Azer got angry

Just deleted the package

babel was broken

npm's unpublish policy changed

The incident was triggered by the wrong handling about kik npm module

https://gyazo.com/91ef19efaa58939b9092677ce64be713

eslint-scope incident (2018)

cause: Attack

Tried to steal npm credentials

event-stream incident (2018)

cause: Attack

Tried to steal crypto currency

ua-parser-js incident (2021)

cause: Attack

Tried to mine cryptocurrency (windows and linux)

Also Tried to steal credentials from 100 apps (only windows)

React Native packages (2025)

cause: Attack

https://gbhackers.com/16-react-native-packages-with-millions-of-downloads-compromised/

@react-native-aria/focus @react-native-aria/utils @react-native-aria/interactions @gluestack-ui/utils @react-native-aria/button @react-native-aria/slider etc compromised

embeds RAT command ss_info ss_ip

The payload, hidden through whitespace-based obfuscation

NX compromised (2025)

Attack

https://www.aikido.dev/blog/popular-nx-packages-compromised-on-npm

Steals credentials at postinstall lifecycle script

Leverages the AI agents installed on the host to collect credentials effectively (!)

chalk (2025)

Attack

Phishing of the maintainer

Stealing ethereum when deployed to the browser (very ineffective attack imo)

https://www.aikido.dev/blog/npm-debug-and-chalk-packages-compromised

@ctrl incident

Attack

https://socket.dev/blog/tinycolor-supply-chain-attack-affects-40-packages

Steals credentials at postinstall lifecycle script

#WebDev