{"id":140133,"date":"2025-09-09T00:37:04","date_gmt":"2025-09-09T00:37:04","guid":{"rendered":"https:\/\/ushopwell.com\/ublog\/software-packages-with-more-than-2-billion-weekly-downloads-hit-in-supply-chain-attack\/"},"modified":"2025-09-09T00:37:04","modified_gmt":"2025-09-09T00:37:04","slug":"software-packages-with-more-than-2-billion-weekly-downloads-hit-in-supply-chain-attack","status":"publish","type":"post","link":"https:\/\/ushopwell.com\/ublog\/software-packages-with-more-than-2-billion-weekly-downloads-hit-in-supply-chain-attack\/","title":{"rendered":"Software packages with more than 2 billion weekly downloads hit in supply-chain attack"},"content":{"rendered":"<div>\n<p>Hackers planted malicious code in open source software packages with more than 2 billion weekly updates in what is likely to be the world\u2019s biggest supply-chain attack ever.<\/p>\n<p>The attack, which compromised nearly two dozen packages hosted on the npm repository, came to public notice on Monday in <a href=\"https:\/\/infosec.exchange\/@derekheld\/115169311485030806\">social<\/a> <a href=\"https:\/\/infosec.exchange\/@GossiTheDog@cyberplace.social\/115169391665497997\">media<\/a> posts. Around the same time, Josh Junon, a maintainer or co-maintainer of the affected packages, <a href=\"https:\/\/bsky.app\/profile\/bad-at-computer.bsky.social\/post\/3lydioq5swk2y\">said<\/a> he had been \u201cpwned\u201d after falling for an email that claimed his account on the platform would be closed unless he logged into a site and updated his two-factor authentication credentials.<\/p>\n<h2>Defeating 2FA the easy way<\/h2>\n<p>\u201cSorry everyone, I should have paid more attention,\u201d Junon, who uses the moniker Qix, wrote. \u201cNot like me; have had a stressful week. Will work to get this cleaned up.\u201d<\/p>\n<p><a href=\"https:\/\/arstechnica.com\/security\/2025\/09\/software-packages-with-more-than-2-billion-weekly-downloads-hit-in-supply-chain-attack\/\">Read full article<\/a><\/p>\n<p><a href=\"https:\/\/arstechnica.com\/security\/2025\/09\/software-packages-with-more-than-2-billion-weekly-downloads-hit-in-supply-chain-attack\/#comments\">Comments<\/a><\/p>\n<\/div>\n<p class=\"wpematico_credit\"><small>Powered by <a href=\"http:\/\/www.wpematico.com\" target=\"_blank\">WPeMatico<\/a><\/small><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Hackers planted malicious code in open source software packages with more than 2 billion weekly updates in what is likely to be the world\u2019s biggest supply-chain attack ever. The attack, which compromised nearly two dozen packages hosted on the npm repository, came to public notice on Monday in social media posts. Around the same time, Josh Junon, a maintainer or co-maintainer of the affected packages, said he had been \u201cpwned\u201d&#8230;<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[241],"tags":[],"class_list":["post-140133","post","type-post","status-publish","format-standard","hentry","category-technology"],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v27.5 - https:\/\/yoast.com\/product\/yoast-seo-wordpress\/ -->\n<title>Software packages with more than 2 billion weekly downloads hit in supply-chain attack - UshopWell.com<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/ushopwell.com\/ublog\/software-packages-with-more-than-2-billion-weekly-downloads-hit-in-supply-chain-attack\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Software packages with more than 2 billion weekly downloads hit in supply-chain attack - UshopWell.com\" \/>\n<meta property=\"og:description\" content=\"Hackers planted malicious code in open source software packages with more than 2 billion weekly updates in what is likely to be the world\u2019s biggest supply-chain attack ever. The attack, which compromised nearly two dozen packages hosted on the npm repository, came to public notice on Monday in social media posts. Around the same time, Josh Junon, a maintainer or co-maintainer of the affected packages, said he had been \u201cpwned\u201d...\" \/>\n<meta property=\"og:url\" content=\"https:\/\/ushopwell.com\/ublog\/software-packages-with-more-than-2-billion-weekly-downloads-hit-in-supply-chain-attack\/\" \/>\n<meta property=\"og:site_name\" content=\"UshopWell.com\" \/>\n<meta property=\"article:published_time\" content=\"2025-09-09T00:37:04+00:00\" \/>\n<meta name=\"author\" content=\"UShopWell\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"UShopWell\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"1 minute\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\\\/\\\/ushopwell.com\\\/ublog\\\/software-packages-with-more-than-2-billion-weekly-downloads-hit-in-supply-chain-attack\\\/#article\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/ushopwell.com\\\/ublog\\\/software-packages-with-more-than-2-billion-weekly-downloads-hit-in-supply-chain-attack\\\/\"},\"author\":{\"name\":\"UShopWell\",\"@id\":\"https:\\\/\\\/ushopwell.com\\\/ublog\\\/#\\\/schema\\\/person\\\/6fd1f9e0ff932e534c86c70d5acff0fc\"},\"headline\":\"Software packages with more than 2 billion weekly downloads hit in supply-chain attack\",\"datePublished\":\"2025-09-09T00:37:04+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/ushopwell.com\\\/ublog\\\/software-packages-with-more-than-2-billion-weekly-downloads-hit-in-supply-chain-attack\\\/\"},\"wordCount\":151,\"publisher\":{\"@id\":\"https:\\\/\\\/ushopwell.com\\\/ublog\\\/#organization\"},\"articleSection\":[\"Technology\"],\"inLanguage\":\"en-US\"},{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/ushopwell.com\\\/ublog\\\/software-packages-with-more-than-2-billion-weekly-downloads-hit-in-supply-chain-attack\\\/\",\"url\":\"https:\\\/\\\/ushopwell.com\\\/ublog\\\/software-packages-with-more-than-2-billion-weekly-downloads-hit-in-supply-chain-attack\\\/\",\"name\":\"Software packages with more than 2 billion weekly downloads hit in supply-chain attack - UshopWell.com\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/ushopwell.com\\\/ublog\\\/#website\"},\"datePublished\":\"2025-09-09T00:37:04+00:00\",\"breadcrumb\":{\"@id\":\"https:\\\/\\\/ushopwell.com\\\/ublog\\\/software-packages-with-more-than-2-billion-weekly-downloads-hit-in-supply-chain-attack\\\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/ushopwell.com\\\/ublog\\\/software-packages-with-more-than-2-billion-weekly-downloads-hit-in-supply-chain-attack\\\/\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/ushopwell.com\\\/ublog\\\/software-packages-with-more-than-2-billion-weekly-downloads-hit-in-supply-chain-attack\\\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\\\/\\\/ushopwell.com\\\/ublog\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Software packages with more than 2 billion weekly downloads hit in supply-chain attack\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/ushopwell.com\\\/ublog\\\/#website\",\"url\":\"https:\\\/\\\/ushopwell.com\\\/ublog\\\/\",\"name\":\"UshopWell.com\",\"description\":\"The Premiere Online Marketplace\",\"publisher\":{\"@id\":\"https:\\\/\\\/ushopwell.com\\\/ublog\\\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/ushopwell.com\\\/ublog\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\\\/\\\/ushopwell.com\\\/ublog\\\/#organization\",\"name\":\"UshopWell\",\"url\":\"https:\\\/\\\/ushopwell.com\\\/ublog\\\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/ushopwell.com\\\/ublog\\\/#\\\/schema\\\/logo\\\/image\\\/\",\"url\":\"https:\\\/\\\/ushopwell.com\\\/ublog\\\/wp-content\\\/uploads\\\/2018\\\/01\\\/pandaSwea.png\",\"contentUrl\":\"https:\\\/\\\/ushopwell.com\\\/ublog\\\/wp-content\\\/uploads\\\/2018\\\/01\\\/pandaSwea.png\",\"width\":365,\"height\":359,\"caption\":\"UshopWell\"},\"image\":{\"@id\":\"https:\\\/\\\/ushopwell.com\\\/ublog\\\/#\\\/schema\\\/logo\\\/image\\\/\"}},{\"@type\":\"Person\",\"@id\":\"https:\\\/\\\/ushopwell.com\\\/ublog\\\/#\\\/schema\\\/person\\\/6fd1f9e0ff932e534c86c70d5acff0fc\",\"name\":\"UShopWell\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/4adb372cadd43b4d4c57964dab95b0f69618bf960d131c4acf49d96d6bbc9c6e?s=96&d=mm&r=g\",\"url\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/4adb372cadd43b4d4c57964dab95b0f69618bf960d131c4acf49d96d6bbc9c6e?s=96&d=mm&r=g\",\"contentUrl\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/4adb372cadd43b4d4c57964dab95b0f69618bf960d131c4acf49d96d6bbc9c6e?s=96&d=mm&r=g\",\"caption\":\"UShopWell\"},\"url\":\"https:\\\/\\\/ushopwell.com\\\/ublog\\\/author\\\/kburnettu\\\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Software packages with more than 2 billion weekly downloads hit in supply-chain attack - UshopWell.com","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/ushopwell.com\/ublog\/software-packages-with-more-than-2-billion-weekly-downloads-hit-in-supply-chain-attack\/","og_locale":"en_US","og_type":"article","og_title":"Software packages with more than 2 billion weekly downloads hit in supply-chain attack - UshopWell.com","og_description":"Hackers planted malicious code in open source software packages with more than 2 billion weekly updates in what is likely to be the world\u2019s biggest supply-chain attack ever. The attack, which compromised nearly two dozen packages hosted on the npm repository, came to public notice on Monday in social media posts. Around the same time, Josh Junon, a maintainer or co-maintainer of the affected packages, said he had been \u201cpwned\u201d...","og_url":"https:\/\/ushopwell.com\/ublog\/software-packages-with-more-than-2-billion-weekly-downloads-hit-in-supply-chain-attack\/","og_site_name":"UshopWell.com","article_published_time":"2025-09-09T00:37:04+00:00","author":"UShopWell","twitter_card":"summary_large_image","twitter_misc":{"Written by":"UShopWell","Est. reading time":"1 minute"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/ushopwell.com\/ublog\/software-packages-with-more-than-2-billion-weekly-downloads-hit-in-supply-chain-attack\/#article","isPartOf":{"@id":"https:\/\/ushopwell.com\/ublog\/software-packages-with-more-than-2-billion-weekly-downloads-hit-in-supply-chain-attack\/"},"author":{"name":"UShopWell","@id":"https:\/\/ushopwell.com\/ublog\/#\/schema\/person\/6fd1f9e0ff932e534c86c70d5acff0fc"},"headline":"Software packages with more than 2 billion weekly downloads hit in supply-chain attack","datePublished":"2025-09-09T00:37:04+00:00","mainEntityOfPage":{"@id":"https:\/\/ushopwell.com\/ublog\/software-packages-with-more-than-2-billion-weekly-downloads-hit-in-supply-chain-attack\/"},"wordCount":151,"publisher":{"@id":"https:\/\/ushopwell.com\/ublog\/#organization"},"articleSection":["Technology"],"inLanguage":"en-US"},{"@type":"WebPage","@id":"https:\/\/ushopwell.com\/ublog\/software-packages-with-more-than-2-billion-weekly-downloads-hit-in-supply-chain-attack\/","url":"https:\/\/ushopwell.com\/ublog\/software-packages-with-more-than-2-billion-weekly-downloads-hit-in-supply-chain-attack\/","name":"Software packages with more than 2 billion weekly downloads hit in supply-chain attack - UshopWell.com","isPartOf":{"@id":"https:\/\/ushopwell.com\/ublog\/#website"},"datePublished":"2025-09-09T00:37:04+00:00","breadcrumb":{"@id":"https:\/\/ushopwell.com\/ublog\/software-packages-with-more-than-2-billion-weekly-downloads-hit-in-supply-chain-attack\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/ushopwell.com\/ublog\/software-packages-with-more-than-2-billion-weekly-downloads-hit-in-supply-chain-attack\/"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/ushopwell.com\/ublog\/software-packages-with-more-than-2-billion-weekly-downloads-hit-in-supply-chain-attack\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/ushopwell.com\/ublog\/"},{"@type":"ListItem","position":2,"name":"Software packages with more than 2 billion weekly downloads hit in supply-chain attack"}]},{"@type":"WebSite","@id":"https:\/\/ushopwell.com\/ublog\/#website","url":"https:\/\/ushopwell.com\/ublog\/","name":"UshopWell.com","description":"The Premiere Online Marketplace","publisher":{"@id":"https:\/\/ushopwell.com\/ublog\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/ushopwell.com\/ublog\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/ushopwell.com\/ublog\/#organization","name":"UshopWell","url":"https:\/\/ushopwell.com\/ublog\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/ushopwell.com\/ublog\/#\/schema\/logo\/image\/","url":"https:\/\/ushopwell.com\/ublog\/wp-content\/uploads\/2018\/01\/pandaSwea.png","contentUrl":"https:\/\/ushopwell.com\/ublog\/wp-content\/uploads\/2018\/01\/pandaSwea.png","width":365,"height":359,"caption":"UshopWell"},"image":{"@id":"https:\/\/ushopwell.com\/ublog\/#\/schema\/logo\/image\/"}},{"@type":"Person","@id":"https:\/\/ushopwell.com\/ublog\/#\/schema\/person\/6fd1f9e0ff932e534c86c70d5acff0fc","name":"UShopWell","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/secure.gravatar.com\/avatar\/4adb372cadd43b4d4c57964dab95b0f69618bf960d131c4acf49d96d6bbc9c6e?s=96&d=mm&r=g","url":"https:\/\/secure.gravatar.com\/avatar\/4adb372cadd43b4d4c57964dab95b0f69618bf960d131c4acf49d96d6bbc9c6e?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/4adb372cadd43b4d4c57964dab95b0f69618bf960d131c4acf49d96d6bbc9c6e?s=96&d=mm&r=g","caption":"UShopWell"},"url":"https:\/\/ushopwell.com\/ublog\/author\/kburnettu\/"}]}},"_links":{"self":[{"href":"https:\/\/ushopwell.com\/ublog\/wp-json\/wp\/v2\/posts\/140133","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/ushopwell.com\/ublog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/ushopwell.com\/ublog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/ushopwell.com\/ublog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/ushopwell.com\/ublog\/wp-json\/wp\/v2\/comments?post=140133"}],"version-history":[{"count":0,"href":"https:\/\/ushopwell.com\/ublog\/wp-json\/wp\/v2\/posts\/140133\/revisions"}],"wp:attachment":[{"href":"https:\/\/ushopwell.com\/ublog\/wp-json\/wp\/v2\/media?parent=140133"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/ushopwell.com\/ublog\/wp-json\/wp\/v2\/categories?post=140133"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/ushopwell.com\/ublog\/wp-json\/wp\/v2\/tags?post=140133"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}