When Dependencies Turn Dangerous: Responding to the NPM Supply Chain Attack

**Supply-chain compromise of 18 popular npm packages (including chalk, debug, strip-ansi, etc.) published via a targeted phishing attack on a maintainer; malicious versions (listed by package and version) contained obfuscated JavaScript that silently rewrote cryptocurrency transactions and risked widespread downstream contamination across environments given ~2.6 billion weekly downloads — the report outlines detection, containment steps (lockfile checks, cache purges, blocklisting, runtime hunts), and how Qualys SCA, TruRisk, Attack Path, and CDR can prioritize and stop active exploitation.**