Skip to content
Search
  • There are no suggestions because the search field is empty.
Cancel
Get Started Now

    Security Awareness Training Blog

    • Blog
      • /
    • MFA
      • /
    • "Yep, I got pwned. Sorry everyone, very embarrassing."

    "Yep, I got pwned. Sorry everyone, very embarrassing."

    Martin Kraemer | Sep 10, 2025

    Evangelists-Martin Kraemer (1)In essence, that is the disclosure and notification message that the open-source developer "qix" sent to the world when he was social engineered to give up access credentials to his GitHub account.

    Using his account, the attackers inserted malware in a series of popular NPM packages to direct cryptocurrency payments to their own wallets.

    While it seems the actual financial damage was limited, as the malicious code triggered CD/CI compilation errors, two hours of the malicious code being published on GitHub would have been enough to cause significant damage to many organizations.

    In this case, the payload was perhaps not well-tested, which appears to be a rookie mistake for cybercriminals. However, the damage could have been significant as several affected packages have average weekly downloads in the hundreds of millions: chalk (300M weekly downloads), debug (358M downloads), and ansi-styles (371M downloads).

    The payload would have been very aggressive if deployed successfully: 

    • address replacements for all browser calls using fetch and XMLHttpRequest functions and thereby intercepting all network traffic to replace any crypto address with an attacker wallet
    • active transaction hijacking with wallet extensions such as MetaMask to replace recipient addresses with attacker wallets leading to unwittingly approved transactions; and multi-chain support including Bitcoin, Ethereum, Solana, Tron and others.
    The open-source packages mentioned above are likely used by countless applications, from small startups to Fortune 500 companies. The incident highlights the challenges of open-source supply chain where a single compromised maintainer account can affect billions of installations across the global software ecosystem. While the open-source community runs on trust, extremely targeted attacks like this one show a pattern of high-impact supply chain attacks targeting developer infrastructure that begins to emerge.


    The solution: carefully implement security safeguards into your CI/CD system. Enhanced security measures across the open-source ecosystem are urgently required, including phishing-resistant multi-factor authentication, trusted publishing mechanisms and improved monitoring of package changes.

    Organizations should no longer blindly trust package managers, as any update could potentially introduce malicious code. Instead, updates must be verified and monitored to ensure a protected software ecosystem in organizations.

    The developer’s initial announcement: https://bsky.app/profile/bad-at-computer.bsky.social/post/3lydioq5swk2y 

    Here is full technical analysis: https://socket.dev/blog/npm-author-qix-compromised-in-major-supply-chain-attack

    Here is what the attack would look like in real life: https://github.com/naugtur/running-qix-malware?tab=readme-ov-file

    Topics: MFA Human Risk Management

    Find out if your organization's MFA solution
    can be hacked by cybercriminals now!

    Did you know that all MFA mechanisms can be hacked, and in some cases it's as simple as sending a phishing email? That's why it's important to know the exact security risks your MFA solution has and how your users' accounts may be compromised.

    masareport-thumbHere's how MASA works:

    • You will receive a custom link to take your assessment
    • Answer a series of technology questions relevant to your MFA solution
    • Get an instant high-level snapshot of potential risks with your MFA
    • Receive your in-depth report packed with actionable insight and detailed analysis on specific MFA attacks and tips for your top defenses 

    Assess My MFA Solution Now!

    PS: Don't like to click on redirected buttons? Cut & Paste this link in your browser:

    https://www.knowbe4.com/multi-factor-authentication-security-assessment

    Secure the Digital Workforce: Human + AI

    KnowBe4 empowers the modern workforce to make smarter security decisions every day. Trusted by more than 70,000 organizations worldwide, KnowBe4 is the pioneer of digital workforce security, securing both AI agents and humans. The KnowBe4 Platform provides attack simulation and training, collaboration security, and agent security powered by AIDA (Artificial Intelligence Defense Agents) and a proprietary Risk Score. The platform leverages 15 years of behavioral data to combat advanced threats including social engineering, prompt injection, and shadow AI. By securing humans and agents, KnowBe4 leads the industry in workforce trust and defense.

    Martin Kraemer

    ABOUT MARTIN KRAEMER

    Dr. Martin J. Kraemer is a CISO Advisor at KnowBe4. He has over 10 years of research and industry experience in cybersecurity with a focus on human-centered computing. Martin held roles in innovation, research, and technology consulting. He has worked with both public and private organizations on information security and data protection.

    Read more from Martin »

    Subscribe to Our Blog

    Posts By Topic

    View All