On September 8, 2025, a significant supply chain attack within the JavaScript ecosystem known as "The Great NPM Heist" unfolded, marking it as one of the largest incidents in npm history. The attack was initiated by a sophisticated phishing campaign targeted at Josh Junon, a well-known maintainer of open-source packages. The phishing email, which falsely claimed to be from npm support, persuaded him to update his two-factor authentication (2FA) credentials, thereby allowing attackers to gain access to his account. Once inside, the attackers injected a potent cryptocurrency-stealing malware into over 18 foundational npm packages, which collectively garnered more than 2 billion downloads weekly. These packages, crucial to various applications, extended from individual projects to enterprise systems, granting the malware a vast potential impact.