Attack on node.js: No danger for NoSpamProxy customers

On Monday, September 8, 2025, a significant attack on the software package supply chain for the widely used JavaScript runtime environment node.js was discovered. There is no danger for NoSpamProxy customers.

The attackers used spear phishing to gain access to a developer’s npm account and used the package manager to inject obfuscated malicious code into numerous popular packages. Based on current information, this appears to be the largest successful attack on npm to date.

About 20 of these are packages from the developer qix, which are downloaded more than two billion times a week. This has an impact on large parts of the Node.js universe. Furthermore, there are indications that packages from other developers may also have been contaminated with malware.

The malware discovered and investigated so far manipulates certain browser routines to intercept and manipulate data in the victim’s web browser. This affects both classic network traffic and traffic to and from programming interfaces (API). In addition, routines in any installed browser extensions for cryptocurrency wallets are modified.

The attackers’ goal is apparently to steal units of various cryptocurrencies. The malware waits for strings that look like wallet addresses and replaces the legitimate addresses with other addresses that are presumably controlled by the attacker.

Although we use npm in the development of NoSpamProxy, we do not use the compromised packages. There is therefore no danger for NoSpamProxy customers.