Major NPM Supply-Chain Attack: Potential Impact on Mobile Applications

Today, security researchers revealed details of a massive supply-chain attack affecting some of the most popular NPM packages in the JavaScript ecosystem. The attack, which compromised packages including chalk, debug, ansi-styles and others with a combined 2+ billion weekly downloads, represents one of the most significant supply-chain incidents in recent memory. This is a big deal, and the NPM supply-chain attack likely affects mobile apps.

What is the NPM Supply Chain Attack?

According to security researchers at Aikido, the attack began on the morning of Sept. 8, 2025, when threat actors successfully phished package maintainers using a fake NPM support email from [email protected]. The compromised packages were injected with malware designed to intercept cryptocurrency transactions and web3 activity in browsers. The malicious code hooks into core browser functions like fetch, XMLHttpRequest, and wallet APIs, silently rewriting transaction destinations to attacker-controlled addresses.

Some of the affected packages include:

• chalk (299.99m downloads per week)
• debug (357.6m downloads per week)
• ansi-styles (371.41m downloads per week)
• strip-ansi (261.17m downloads per week)
• color-convert (193.5m downloads per week)

The attack is particularly insidious because it operates at multiple layers — altering content shown on websites, tampering with API calls, and manipulating what users’ apps believe they are signing.

How does the NPM attack affect mobile apps?

Mobile applications are impacted by JavaScript ecosystem supply-chain risks because many modern mobile apps incorporate JavaScript components through frameworks like React Native, Ionic, Cordova and various WebView implementations. Mobile apps increasingly share the same JavaScript dependencies as web applications for content delivery, API interactions and even core functionality.

While the current malware appears focused on cryptocurrency and web3 applications, the same attack vector could easily be adapted to target mobile-specific functionality. The malicious code’s ability to intercept and modify network requests means it could potentially access authentication tokens, user credentials, API keys, and other sensitive mobile app data.

What should I do about the NPM supply-chain attack?

Due to the widespread nature of these packages, a thorough review of your entire mobile app inventory (built and used) is necessary. It is best to get started immediately.

If you’re responsible for a mobile application that uses JavaScript components:

1. Audit your dependency tree immediately to identify any use of the affected software packages.
2. Pin your dependencies to known-good versions from before Sept. 8, 2025 or watch for new versions to come out from official npm sources.
3. Monitor for unusual network activity or unexpected API calls in your applications and developer tools.
4. Alert your developers to the risk: Attacks targeting developers are on the rise due to the potential large impacts of supply-chain attacks.
5. Prepare emergency app updates to push clean versions through app store review.
6. Communicate with your users about potential risks and recommended precautions.

The app store review process adds another layer of complexity — even after developers patch their apps, it may take days or weeks for updated versions to become available to users, during which time compromised versions remain in circulation.

If you’re responsible for managing the risk in third-party mobile applications:

1. Identify all managed mobile apps immediately. Check with IT Operations or the team that manages mobile devices for their list of apps approved for use that process sensitive information.
2. Audit the dependency tree for all managed mobile apps to identify the use of affected software packages.
3. Block the use of impacted mobile apps until a clean version is available from the app vendor.

NowSecure hopes that this timely alert will enable you to identify impacted applications before they make it through your development pipeline or app review process and negatively impact your organization.

NowSecure Customers: NowSecure can identify the presence of the packages in question in first and third-party apps. Our support teams are already working on detailed instructions regarding the use of NowSecure products to protect your organization. 

Data sample including potentially affected mobile apps

As part of our mobile app security testing and intelligence gathering, we maintain a database of popular apps and their component dependencies. A preliminary analysis shows approximately 190 mobile apps across iOS and Android that include at least one of the 18 affected components in their dependency chain.

Important caveat: We cannot definitively confirm these apps are using the specific compromised versions of the packages. However, given the popularity of these packages and the timing of the attack, we recommend users and developers of these apps exercise heightened caution and monitor for updates over the coming days and weeks

Sample of potentially affected apps include:

Based on a supply-chain analysis of public mobile applications, the following apps make use of one or more matching components. Note this does not mean they necessarily include the version with the malicious dependency code, simply that they have the affected component name present and could warrant additional investigation.

Android Apps:

• DuckDuckGo Browser (com.duckduckgo.mobile.android) – 12 components
• Cox Homelife (com.cox.homesecurity) – 9 components
• FirstCry Arabia (ae.firstcry.shopping.parenting) – 8 components
• Samsung Plus Mobile (com.samsung.plus.mobile) – 10 components
• Verifyle (com.verifyle.android) – 13 components
• Various enterprise and education apps

iOS Apps:

• United Airlines (com.united.UnitedCustomerFacingIPhone) – 11 components
• REMAX First Realty (com.partner-auto-5118.remaxfirstrealty) – 9 components
• Cox Homelife (com.cox.ios.icontrol.iphone) – 9 components
• Verifyle (com.verifyle.ios) – 13 components
• Plan Meals – MealPlanner (com.oneabsolute.mealplanner) – 9 components
• Various business and productivity apps

For the larger list, see https://gist.github.com/dweinstein/aea4b29ea84f41c01cf9f0084cba67d4.

This is a list of mobile applications with a count of matching affected components. The Total Components column indicates the number of matching components, meaning a higher number means higher likelihood of potentially being affected. This analysis was produced by using NowSecure Mobile Application Risk Intelligence. NowSecure analysis, in addition to dynamic analysis, leverages static binary analysis and a black box software component identification engine.

Mobile app updates – challenge and opportunity

Unlike web applications that can be patched instantly, mobile apps face unique challenges, but also opportunities:

1. App store review delays: Even emergency updates typically take 24-48 hours minimum.
2. User update adoption: Many users delay or disable automatic app updates, which can result in vulnerable apps remaining on user phones long after patched versions are available. 
3. Cached dependencies: Apps may bundle vulnerable packages that persist even after NPM cleanup.
4. WebView components: Hybrid apps using WebViews may load compromised JavaScript dynamically (e.g., via CDN).

This creates a window of vulnerability that could extend for days and weeks or even months as the ecosystem slowly purges compromised code. We also don’t know the total list of impacted package maintainers.

On the other hand, having an application review process affords Apple and Google an opportunity to centrally address impacted applications. Thankfully, given how the window of attack appears to be relatively short (measured in hours) due to a quick community response, we should estimate the number of mobile applications that have been submitted to review during that window of attacker opportunity to be much lower. Perhaps with luck as a result, very few applications will ultimately be impacted.

Recommendations for mobile developers

1. Immediate action: Audit all affected JavaScript dependencies in your mobile applications, especially those known to be used vs those that may be present but unused.
2. Use dependency scanning tools: Implement automated security scanning in your CI/CD pipeline
3. Update dependencies: Where possible, replace vulnerable JavaScript components with older or fixed versions
4. Monitor runtime behavior: Add telemetry to detect unusual network patterns or API calls, e.g., via dynamic instrumentation or network inspection.
5. Monitor developer tooling: Developer tools are increasingly being targeted with supply chain attacks.

For apps built using common javascript frameworks, the malicious code may end up getting pulled directly into the application binary or could be added via a third-party dependency which uses one of the affected components. However, note that both the mobile application and the mobile server backend could serve up the malicious components. Even if you use PNPM, Bun, Yarn, or another package manager, you could still be exposed.

Recommendations for mobile users

1. Update your apps: Monitor for updates to the apps listed above to see if they mention updates specific to these Qix advisory related dependencies.
2. Monitor financial accounts: Check for unauthorized transactions, especially in crypto/finance apps.
3. Enable 2FA: Multi-factor authentication can help protect sensitive accounts.
4. Be cautious with WebView content: Avoid entering sensitive information in embedded browsers. Embedded browsers are browsers that are embedded in the application vs the system installed browsers.
5. Report suspicious behavior: Contact app developers (and NowSecure) if you notice unusual activity.

Looking ahead

This attack demonstrates the cascading impact of supply chain compromises in our interconnected ecosystem. A single phishing email to an NPM package maintainer can potentially affect billions of devices worldwide, including mobile applications that users trust with their most sensitive data.

As the mobile app ecosystem increasingly relies on shared JavaScript libraries and frameworks, the attack surface expands dramatically. The delayed nature of mobile app updates means that even after the immediate threat is contained, echoes of this compromise may persist in the app stores for months to come.

We’ll continue monitoring the situation and will update our analysis as more information becomes available. In the meantime, developers, organizations and users should remain vigilant and prioritize security updates.

Technical indicators

For security teams and developers, here are a set of popular components with specific package versions known to be compromised:

Note: This is a developing situation. We recommend checking with official sources and your security teams for the latest information on affected packages and remediation steps.

Contact us to learn how NowSecure mobile app risk management solutions identify and help remediate mobile app risk in first and third-party apps.