Security Advisory for qix npm supply-chain compromise affecting debug and billions of weekly download users
Qix maintainer's npm account was phished and used to publish malicious versions of widely used packages (including `debug` and multiple packages in the `chalk` ecosystem). The injected code appears designed to execute in the browser, hooking web APIs to silently rewrite cryptocurrency addresses and wallet interactions, while being largely inert in pure Node.js/server contexts.