Combine AI-driven security operations, multi-signal attack surface coverage and 24/7 Elite Threat Hunters to help you take your security program to the next level.
Get unlimited Incident Response with threat suppression guarantee - anytime, anywhere.
CTEM and advisory programs that identify security gaps and build proactive strategies to address them.
Multi-agent Generative AI system embedded across eSentire’s Security Operations platform to scale human expertise.
Open XDR with Agentic AI & machine learning that eliminates noise, enables real-time detection and response, and automatically blocks threats.
See what our SOC sees, review investigations, and see how we are protecting your business.
Seamless integrations and threat investigation across your existing tech stack.
24/7 SOC-as-a-Service with unlimited threat hunting and incident handling.
Proactive threat intelligence, original threat research and a world-class team of seasoned industry veterans.
Extend your team capabilities and prevent business disruption with expertise from eSentire.
We balance automated blocks with rapid human-led investigations to manage threats.
Flexible MDR pricing and packages that fit your unique security requirements.
Entry level foundational MDR coverage
Comprehensive Next Level MDR from eSentire
Next Level MDR with Cyber Risk Advisors to continuously advance your security program
Stop ransomware before it spreads.
Stop identity-based cyberattacks.
Detect and respond to zero-day exploits.
Meet regulatory compliance mandates.
Defend third-party and supply chain risk.
End misconfigurations and policy violations.
Adopt a risk-based security approach.
Prevent disruption by outsourcing MDR.
Protect your most sensitive data.
Meet insurability requirements with MDR.
Operationalize cyber threat intelligence.
Build a proven security program.
THE THREAT On September 8th, 2025, a large-scale supply chain attack was confirmed, affecting at least 25 widely used npm packages, collectively downloaded over two billion…
Aug 26, 2025THE THREATA critical security advisory has been issued for NetScaler ADC and Gateway systems, highlighting three significant vulnerabilities (CVE-2025-7775, CVE-2025-7776, and…
eSentire is The Authority in Managed Detection and Response Services, protecting the critical data and applications of 2000+ organizations in 80+ countries from known and unknown cyber threats. Founded in 2001, the company’s mission is to hunt, investigate and stop cyber threats before they become business disrupting events.
We provide sophisticated cybersecurity solutions for Managed Security Service Providers (MSSPs), Managed Service Providers (MSPs), and Value-Added Resellers (VARs). Find out why you should partner with eSentire, the Authority in Managed Detection and Response, today.
Multi-Signal MDR with 300+ technology integrations to support your existing investments.
24/7 SOC-as-a-Service with unlimited threat hunting and incident handling.
We offer three flexible MDR pricing packages that can be customized to your unique needs.
The latest security advisories, blogs, reports, industry publications and webinars published by TRU.
Compare eSentire to other Managed Detection and Response vendors to see how we stack up against the competition.
See why 2000+ organizations globally have chosen eSentire for their MDR Solution.
On September 8th, 2025, a large-scale supply chain attack was confirmed, affecting at least 25 widely used npm packages, collectively downloaded over two billion times weekly. High-profile maintainers were targeted with phishing emails that allowed attackers to steal their credentials and publish malicious versions of a series of packages on npm. The trojanized versions include a browser-based interceptor, that monitors cryptowallet and web3 activity. It detects crypto transaction formats, alters wallet operations, and redirects payments and approvals to attacker-controlled wallets. In addition to stealing cryptowallet data, the campaign expands the threat landscape by intercepting web traffic, exposing a broad spectrum of sensitive credentials and personal information.
Although the malicious packages are no longer available for download, the threat remains significant as the campaign is still active, and additional maintainers are likely to be targeted. Organizations are advised to raise employee awareness of the activity and block compromised package downloads.
On September 8th, 2025, the npm maintainer, Qix, fell victim to a sophisticated phishing attack cloaked as a npm support email from support@npmjs[.]help. The email stated the maintainer’s account would be locked unless Two-Factor Authentication (2FA) was updated. This led to credentials and the 2FA token being harvested via an Adversary-in-the-Middle (AiTM) attack. Using this access, the attackers published malicious versions of numerous high-profile npm packages that collectively register over two billion downloads weekly.
According to Akido.dev, the malicious code first injects itself into the browser environment during runtime. Once injected, it hooks core browser functions such as fetch and XMLHttpRequest, as well as wallet-specific APIs including window.ethereum for Ethereum and Solana-related interfaces. By doing this, the malware ensures it can intercept both general web traffic and cryptocurrency wallet operations. The malware continuously scans network responses and transaction payloads for sensitive data, particularly looking for cryptocurrency wallet addresses or transfer details. It is capable of recognizing multiple formats across popular blockchains, including Ethereum, Bitcoin, Solana, Tron, Litecoin, and Bitcoin Cash.
After identifying target transactions, the malware rewrites the destination addresses, replacing the legitimate recipient with an attacker-controlled address. To make these changes less obvious, malware often uses “lookalike” addresses that closely resemble the original. The malware hijacks transactions before they are signed, altering parameters such as Ethereum or Solana recipients, approvals, and allowances. Even if the user interface displays the correct transaction information, the signed transaction is routed to the attacker’s wallet.
The attack affected several packages and versions which have been listed in Table.1. According to security firm Socket, the npm supply-chain attack that compromised the maintainer “qix” has also extended to another high-profile maintainer known as “duckdb_admin.” The affected version has been listed in the Table.2.
Security teams should immediately audit their dependencies and confirm whether the malicious package versions are present in their projects. If these versions are detected, defenders should roll back to a safe version and monitor their systems for any evidence of suspicious cryptocurrency wallet redirection.
| Compromised npm packages | |
| Package | Version |
| backslash | 0.2.1 |
| chalk-template | 1.1.1 |
| supports-hyperlinks | 4.1.1 |
| has-ansi | 6.0.1 |
| simple-swizzle | 0.2.3 |
| color-string | 2.1.1 |
| error-ex | 1.3.3 |
| color-name | 2.0.1 |
| is-arrayish | 0.3.3 |
| slice-ansi | 7.1.1 |
| color-convert | 3.1.1 |
| wrap-ansi | 9.0.1 |
| ansi-regex | 6.2.1 |
| supports-color | 10.2.1 |
| strip-ansi | 7.1.1 |
| chalk | 5.6.1 |
| debug | 4.4.2 |
| ansi-styles | 6.2.2 |
| DuckDB-related packages | |
| Package | Version |
| @coveops/abi | 2.0.1 |
| @duckdb/duckdb-wasm | 1.29.2 |
| @duckdb/node-api | 1.3.3 |
| @duckdb/node-bindings | 1.3.3 |
| duckdb | 1.3.3 |
| prebid | 10.9.1 |
| prebid | 10.9.1 |
References:
[1] https://www.aikido.dev/blog/npm-debug-and-chalk-packages-compromised
[2] https://socket.dev/blog/duckdb-npm-account-compromised-in-continuing-supply-chain-attack
[3] https://github.com/Cyb3r-Monk/Threat-Hunting-and-Detection/blob/main/Uncategorized/NPM%20debug%20and%20chalk%20compromise%2009-2025.md#description
[4] https://www.linkedin.com/posts/kostastsale_hackers-hijack-npm-packages-with-2-billion-activity-7370922481530036224-NG_l?