More packages poisoned in npm attack, but would-be crypto thieves left pocket change www.theregister.com/2025/09/0…

During the two-hour window on Monday in which hijacked npm versions were available for download, malware-laced packages reached one in 10 cloud environments, according to Wiz researchers. But crypto-craving crims did little more than annoy defenders.

As of Tuesday, the supply-chain attack remains active, and its scope extends beyond the original 18 infected Qix packages to now include five additional compromised DuckDB and coveops/abi packages, according to JFrog.

Wiz warns organizations to assume “malicious versions of popular packages are still available for download and might be automatically included in development pipelines.”