In September 2025, a sophisticated supply chain attack compromised NPM packages with over 2 billion weekly downloads, targeting chalk, debug, and ansi-styles—some of the most trusted dependencies in software development.