A supply-chain attack has compromised 18 npm packages, including chalk and debug, with a staggering 2 billion downloads weekly. Malware embedded in malicious updates alters web content, tampering with API calls to redirect cryptocurrency transactions to attacker-controlled accounts. Aikido researchers warn of the campaign's complexity, which stems from a phishing attack on a maintainer account. The incident highlights vulnerabilities in the software supply chain and calls for prompt mitigation actions to prevent exposure.