malware npm

supports-color

discovered 2025-09-08

supports-color is identified in the SafeDep analysis "npm Supply Chain Attack: Multiple Popular Packages Hijacked (1B+ Weekly Downloads)". Complete analysis of sophisticated crypto wallet drainer found in 21 npm packages with over one billion weekly downloads. Includes detailed technical breakdown of 76KB malware payload disguised in has-ansi@6.0.1 and multi-stage attack architecture.

more…

Threat types

crypto_drainer

Malicious versions

10.2.1

Campaigns

qix npm Account Compromiseattributed-to

Indicators

sha1 fc4a4858bafef54d1b1d7697bfb5c52f4c166976indicates
md5 19111111111111111111111111111111indicates
wallet 0x66a9893cC07D91D95644AEDD05D03f95e1dBA8Afexfiltrates-to
wallet 0x10ed43c718714eb63d5aa57b78b54704e256024eexfiltrates-to
wallet 0x13f4ea83d0bd40e75c8222255bc855a974568dd4exfiltrates-to
wallet 0x1111111254eeb25477b68fb85ed929f73a960582exfiltrates-to
wallet 0xd9e1ce17f2641f24ae83637ab66a2cca9c378b9fexfiltrates-to
wallet 0xfc4a4858bafef54d1b1d7697bfb5c52f4c166976exfiltrates-to
wallet 0x66a9893cc07d91d95644aedd05d03f95e1dba8afexfiltrates-to
wallet 0xFc4a4858bafef54D1b1d7697bfb5c52F4c166976exfiltrates-to
wallet 0xa29eeFb3f21Dc8FA8bce065Db4f4354AA683c024exfiltrates-to
wallet 0x40C351B989113646bc4e9Dfe66AE66D24fE6Da7Bexfiltrates-to

Techniques

ttp T1195.001 Supply Chain Compromise: Compromise Software Dependencies and Development Toolsuses
ttp T1059.007 Command and Scripting Interpreter: JavaScriptuses
ttp T1041 Exfiltration Over C2 Channeluses
ttp T1552.004 Unsecured Credentials: Private Keysuses
ttp T1105 Ingress Tool Transferuses

Read the full analysis →