Combine AI-driven security operations, multi-signal attack surface coverage and 24/7 Elite Threat Hunters to help you take your security program to the next level.
Get unlimited Incident Response with threat suppression guarantee - anytime, anywhere.
CTEM and advisory programs that identify security gaps and build proactive strategies to address them.
Multi-agent Generative AI system embedded across eSentire’s Security Operations platform to scale human expertise.
Extended Detection andOpen XDR with Agentic AI & machine learning that eliminates noise, enables real-time detection and response, and automatically blocks threats.
Customer PortalSee what our SOC sees, review investigations, and see how we are protecting your business.
Platform IntegrationsSeamless integrations and threat investigation across your existing tech stack.
24/7 SOC-as-a-Service with unlimited threat hunting and incident handling.
Threat Response Unit (TRU)Proactive threat intelligence, original threat research and a world-class team of seasoned industry veterans.
Cyber Resilience TeamExtend your team capabilities and prevent business disruption with expertise from eSentire.
Response and RemediationWe balance automated blocks with rapid human-led investigations to manage threats.
Flexible MDR pricing and packages that fit your unique security requirements.
Entry level foundational MDR coverage
Comprehensive Next Level eSentire MDR
Next Level eSentire MDR with Cyber Risk Advisors to continuously advance your security program
Stop ransomware before it spreads.
Identity ResponseStop identity-based cyberattacks.
Zero Day AttacksDetect and respond to zero-day exploits.
Cybersecurity ComplianceMeet regulatory compliance mandates.
Third-Party RiskDefend third-party and supply chain risk.
Cloud MisconfigurationEnd misconfigurations and policy violations.
Cyber RiskAdopt a risk-based security approach.
Mid-Market SecurityMid-market security essentials to prioritize.
Sensitive Data SecurityProtect your most sensitive data.
Cyber InsuranceMeet insurability requirements with MDR.
Cyber Threat IntelligenceOperationalize cyber threat intelligence.
Security LeadershipBuild a proven security program.
THE THREATOn September 25th, 2025, Cisco disclosed two zero-day vulnerabilities, CVE-2025-20333 (CVSS: 9.9) and CVE-2025-20362 (CVSS: 6.5), in Cisco Secure Firewall Adaptive Security…
THE THREAT On September 16th, 2025, a large-scale attack against npm was discovered, affecting 187 packages including several from CrowdStrike. The attack, attributed to the same threat…
eSentire is The Authority in Managed Detection and Response Services, protecting the critical data and applications of 2000+ organizations in 80+ countries from known and unknown cyber threats. Founded in 2001, the company’s mission is to hunt, investigate and stop cyber threats before they become business disrupting events.
About Us Leadership CareersWe provide sophisticated cybersecurity solutions for Managed Security Service Providers (MSSPs), Managed Service Providers (MSPs), and Value-Added Resellers (VARs). Find out why you should partner with eSentire, the Authority in Managed Detection and Response, today.
Multi-Signal MDR with 300+ technology integrations to support your existing investments.
24/7 SOC-as-a-Service with unlimited threat hunting and incident handling.
We offer three flexible MDR pricing packages that can be customized to your unique needs.
The latest security advisories, blogs, reports, industry publications and webinars published by TRU.
Compare eSentire to other Managed Detection and Response vendors to see how we stack up against the competition.
See why 2000+ organizations globally have chosen eSentire for their MDR Solution.
On September 8th, 2025, a large-scale supply chain attack was confirmed, affecting at least 25 widely used npm packages, collectively downloaded over two billion times weekly. High-profile maintainers were targeted with phishing emails that allowed attackers to steal their credentials and publish malicious versions of a series of packages on npm. The trojanized versions include a browser-based interceptor, that monitors cryptowallet and web3 activity. It detects crypto transaction formats, alters wallet operations, and redirects payments and approvals to attacker-controlled wallets. In addition to stealing cryptowallet data, the campaign expands the threat landscape by intercepting web traffic, exposing a broad spectrum of sensitive credentials and personal information.
Although the malicious packages are no longer available for download, the threat remains significant as the campaign is still active, and additional maintainers are likely to be targeted. Organizations are advised to raise employee awareness of the activity and block compromised package downloads.
On September 8th, 2025, the npm maintainer, Qix, fell victim to a sophisticated phishing attack cloaked as a npm support email from support@npmjs[.]help. The email stated the maintainer’s account would be locked unless Two-Factor Authentication (2FA) was updated. This led to credentials and the 2FA token being harvested via an Adversary-in-the-Middle (AiTM) attack. Using this access, the attackers published malicious versions of numerous high-profile npm packages that collectively register over two billion downloads weekly.
According to Akido.dev, the malicious code first injects itself into the browser environment during runtime. Once injected, it hooks core browser functions such as fetch and XMLHttpRequest, as well as wallet-specific APIs including window.ethereum for Ethereum and Solana-related interfaces. By doing this, the malware ensures it can intercept both general web traffic and cryptocurrency wallet operations. The malware continuously scans network responses and transaction payloads for sensitive data, particularly looking for cryptocurrency wallet addresses or transfer details. It is capable of recognizing multiple formats across popular blockchains, including Ethereum, Bitcoin, Solana, Tron, Litecoin, and Bitcoin Cash.
After identifying target transactions, the malware rewrites the destination addresses, replacing the legitimate recipient with an attacker-controlled address. To make these changes less obvious, malware often uses “lookalike” addresses that closely resemble the original. The malware hijacks transactions before they are signed, altering parameters such as Ethereum or Solana recipients, approvals, and allowances. Even if the user interface displays the correct transaction information, the signed transaction is routed to the attacker’s wallet.
The attack affected several packages and versions which have been listed in Table.1. According to security firm Socket, the npm supply-chain attack that compromised the maintainer “qix” has also extended to another high-profile maintainer known as “duckdb_admin.” The affected version has been listed in the Table.2.
Security teams should immediately audit their dependencies and confirm whether the malicious package versions are present in their projects. If these versions are detected, defenders should roll back to a safe version and monitor their systems for any evidence of suspicious cryptocurrency wallet redirection.
Compromised npm packages | |
Package | Version |
backslash | 0.2.1 |
chalk-template | 1.1.1 |
supports-hyperlinks | 4.1.1 |
has-ansi | 6.0.1 |
simple-swizzle | 0.2.3 |
color-string | 2.1.1 |
error-ex | 1.3.3 |
color-name | 2.0.1 |
is-arrayish | 0.3.3 |
slice-ansi | 7.1.1 |
color-convert | 3.1.1 |
wrap-ansi | 9.0.1 |
ansi-regex | 6.2.1 |
supports-color | 10.2.1 |
strip-ansi | 7.1.1 |
chalk | 5.6.1 |
debug | 4.4.2 |
ansi-styles | 6.2.2 |
DuckDB-related packages | |
Package | Version |
@coveops/abi | 2.0.1 |
@duckdb/duckdb-wasm | 1.29.2 |
@duckdb/node-api | 1.3.3 |
@duckdb/node-bindings | 1.3.3 |
duckdb | 1.3.3 |
prebid | 10.9.1 |
prebid | 10.9.1 |
References:
[1] https://www.aikido.dev/blog/npm-debug-and-chalk-packages-compromised
[2] https://socket.dev/blog/duckdb-npm-account-compromised-in-continuing-supply-chain-attack
[3] https://github.com/Cyb3r-Monk/Threat-Hunting-and-Detection/blob/main/Uncategorized/NPM%20debug%20and%20chalk%20compromise%2009-2025.md#description
[4] https://www.linkedin.com/posts/kostastsale_hackers-hijack-npm-packages-with-2-billion-activity-7370922481530036224-NG_l?