Find notable cyber news and cases, enriched with sources, timelines, and signals.
Home Browse News Feed Stats Watchlists Beta About Contact

Josh Junon (qix) hit by network compromise

Incident
First reported
Last updated
Happening score
H score 21
2 unique sources, 3 articles

Summary

Hide ▲

Josh Junon (qix) confirmed a phishing-driven account compromise that let attackers inject malware into NPM packages, putting a supply chain with over 2.6 billion weekly downloads at risk. The malicious versions were later removed, but the compromise could still affect fresh installs that occurred during the brief exposure window. The injected code could hijack crypto and web3 transactions in the browser and redirect funds to attacker-controlled wallets.

Related Happenings

Lightning PyPI router_runtime.js credential-stealing payload

Malware Activity
First: 30.04.2026 19:31 Last: 30.04.2026 19:31 Sources 1

About this happening: The **Lightning** PyPI package was pushed in **malicious versions 2.6.2 and 2.6.3** on **April 30, 2026**, turning a normal install into **credential theft** for **developer and C...

Latest development: 04.05.2026 20:15

Microsoft Threat Intelligence says Defender detected and prevented the malicious `lightning==2.6.3` routine in customer environments, notified the Lightning maintainer, and warned that users who ran `import lightning` may need to rotate exposed secrets, keys, and tokens.

Open Happening

Mini Shai-Hulud SAP-related npm supply-chain campaign

Campaign
First: 29.04.2026 19:26 Last: 29.04.2026 19:26 Sources 1

About this happening: A new **Mini Shai-Hulud** supply-chain campaign is targeting **SAP-related npm packages**, putting **developer and CI/CD environments** at risk of credential theft and malicious p...

Latest development: 12.05.2026 11:50

Mini Shai-Hulud expands beyond the original SAP-related npm packages to compromise TanStack, UiPath, Mistral AI, OpenSearch, Guardrails AI, and DraftLab packages across npm and PyPI, with malicious payloads using router_init.js, GitHub Actions abuse, and exfiltration to filev2.getsession[.]org, api.masscan[.]cloud, or attacker-controlled GitHub repositories.

Open Happening

Bitwarden hit by network compromise

Incident
First: 23.04.2026 22:21 Last: 23.04.2026 22:21 Sources 1

About this happening: **Bitwarden**'s **@bitwarden/cli** distribution channel was compromised when a malicious package briefly appeared on **npm**, putting developers who installed it at risk of **cred...

Open Happening

Smart Slider 3 Pro update system for WordPress hit by network compromise

Incident
First: 09.04.2026 19:15 Last: 09.04.2026 19:15 Sources 1

About this happening: The **Smart Slider 3 Pro** update system was compromised, and a **malicious 3.5.1.35** release was pushed to **WordPress and Joomla** sites. The bad update could create **hidden a...

Open Happening

Claude Code trojanized HTTP client delivery via npm

Malware Activity
First: 01.04.2026 09:12 Last: 01.04.2026 09:12 Sources 1

About this happening: The **npm** distribution path for **Claude Code** exposed some users to a **trojanized HTTP client**, creating a possible **cross-platform remote access trojan** delivery route. S...

Open Happening

Timeline

  1. 10.09.2025 20:56 1 articles · 8mo ago

    NPM supply-chain compromise reaches 10% of cloud environments

    Victim Impact Update

    A password-reset phishing campaign against npm maintainer Josh Junon spread malicious package updates through the NPM ecosystem, reaching roughly 10% of cloud environments during a two-hour download window and forcing cleanup, rebuilding, and auditing work. The same campaign also compromised DuckDB's maintainer account and pushed packages with the same crypto-stealing code.

    Show sources
    Open in new tab
  2. 09.09.2025 09:13 1 articles · 8mo ago

    Phishing compromise leads to rogue npm package publishes

    Initial Disclosure

    A fake support@npmjs[.]help message targeted npm maintainer Josh Junon (aka Qix), prompting a 2FA update before September 10, 2025 and enabling credential theft that was used to publish rogue versions to the npm registry. Twenty packages were confirmed affected, including [email protected], [email protected], and [email protected], with the compromised code designed to intercept cryptocurrency transaction requests and swap destination wallet addresses.

    Show sources
    Open in new tab
  3. 08.09.2025 19:47 1 articles · 8mo ago

    Initial report: Josh Junon (qix) hit by network compromise

    Initial Disclosure

    A phishing message impersonating **npm support** compromised a maintainer account and enabled malicious package updates in the **NPM** supply chain. The compromised releases created a short window in which fresh installs could receive browser-based transaction hijacking code.

    Show sources
    Open in new tab