The packages hijacked so far collectively have over 2.6 billion downloads every week:

• backslash (0.26m downloads per week)
• chalk-template (3.9m downloads per week)
• supports-hyperlinks (19.2m downloads per week)
• has-ansi (12.1m downloads per week)
• simple-swizzle (26.26m downloads per week)
• color-string (27.48m downloads per week)
• error-ex (47.17m downloads per week)
• color-name (191.71m downloads per week)
• is-arrayish (73.8m downloads per week)
• slice-ansi (59.8m downloads per week)
• color-convert (193.5m downloads per week)
• wrap-ansi (197.99m downloads per week)
• ansi-regex (243.64m downloads per week)
• supports-color (287.1m downloads per week)
• strip-ansi (261.17m downloads per week)
• chalk (299.99m downloads per week)
• debug (357.6m downloads per week)
• ansi-styles (371.41m downloads per week)

[…]

[…] there are specific criteria that must be met for an app to have been affected, which significantly decreases the impact. This includes:

• A fresh install between ~9 AM and ~11.30 AM ET [13:00 – 15:30 UTC on 8th Sep, 2025], when the packages were compromised
• Package-lock.json was created during that time
• Vulnerable packages in direct or transient dependencies