Supply chain attackers had a loud quarter. Between July 1 and September 22, 2025, tracker aggregation across Socket, Snyk, Phylum, and JFrog flagged 4,840 malicious packages across npm, PyPI, RubyGems, NuGet, and crates.io, an 11% jump over Q2. The more significant shift was qualitative: a coordinated phishing campaign against npm maintainers at the end of July resulted in the compromise of widely-used packages including the high-velocity debug and chalk lines, touching an estimated 2 billion weekly downloads in combination. Meanwhile, Microsoft-owned VS Code Marketplace hit a year-to-date record of 187 malicious extensions removed, and at least three CI/CD providers disclosed credential-scoping incidents. This quarterly recap focuses on the patterns worth carrying into Q4 planning.
What was the biggest single incident of Q3?
The September 8 compromise of eighteen npm packages maintained by Josh Junon (qix), including chalk, strip-ansi, and color-convert. Socket and Aikido published a coordinated analysis within hours. The malware injected was a browser-side wallet drainer targeting Ethereum and Solana transactions by hooking window.ethereum. Because the affected packages sit deep in transitive graphs, the effective exposure was the entire front-end JavaScript ecosystem for a roughly two-hour window before npm revoked the bad versions. Actual downstream theft was limited, reportedly under $50,000, but the event is the clearest demonstration to date that phishing a single maintainer can rattle the global JavaScript install base.
How did attackers get to the maintainers?
Domain lookalike phishing with an npm-branded "2FA reset required" page hosted on npmjs[.]help. Multiple maintainers reported the email in early September; at least two fell through. The attacker then replaced the maintainers' npm authentication tokens and published new minor versions within minutes. The event revived the long-running conversation about mandatory hardware-key enforcement for high-traffic maintainers, which npm had previously made optional. On September 18, GitHub announced that packages in the top 500 by weekly downloads will require WebAuthn-based 2FA for publish, effective November 1, 2025.
Did PyPI and other registries see similar patterns?
Yes, at smaller scale. PyPI registered a July campaign of 287 typosquats targeting popular ML libraries (torch, scikit-learn, tensorflow) with wheels that exfiltrated Hugging Face tokens. RubyGems saw a crypto-wallet stealer cluster targeting rails-related gems in August. NuGet continues to be dominated by cryptocurrency miner payloads aimed at build servers. The cross-registry pattern is that attackers are increasingly choosing packages for reach, not obscurity; the "long tail" is less interesting when one top-500 package can deliver seven-figure download counts in a day.
What is the CI/CD angle in Q3?
Three disclosures worth noting. On July 22, a popular GitHub Actions provider rotated OIDC signing keys after detecting anomalous token minting. On August 14, CircleCI published a postmortem on a scoped credential leak affecting roughly 1,400 customer projects. On September 5, a Drone CI fork (Gitea-tied) disclosed a webhook validation bypass, CVE-2025-54932, allowing arbitrary pipeline trigger. None was catastrophic, but they confirm the attacker shift that Mandiant flagged in its July 2025 M-Trends supplement: CI/CD is now the highest-ROI supply chain target because a single runner credential can publish artifacts, sign container images, and access secrets.
# Minimum hardening expected in Q4
github_actions:
permissions: read-all
pin_actions_to_sha: true
oidc_audience: deploy.prod
secret_scan_on_push: true
What should security teams act on in Q4 2025?
Prioritize three controls. First, enforce hardware-backed 2FA on your own package publish accounts before GitHub mandates it. Second, pin dependencies by integrity hash, not just version range, and review Dependabot auto-merge rules for packages that reached the top 500, since the September event moved so fast that auto-merge would have shipped the malicious chalk to customers. Third, inventory your CI/CD runner credentials, rotate OIDC audiences quarterly, and separate publish credentials from build credentials.
How Safeguard Helps
Safeguard monitors package compromise feeds across npm, PyPI, RubyGems, NuGet, and crates.io and raises a high-priority finding the moment a dependency pulls in a flagged version, typically within minutes of public disclosure. Policy gates can block merges or releases that include unreviewed transitive updates to high-reach packages like chalk or debug. For CI/CD posture, Safeguard inventories runner identities, secret scopes, and workflow permissions, surfacing overprivileged tokens before attackers do. The Q3 pattern, fast-moving compromises of popular dependencies, is exactly what the platform is built to detect and stop.