A massive NPM supply chain attack compromised 18+ widely used JavaScript packages with 2B+ weekly downloads after a maintainer fell victim to a phishing email. Malicious code was injected to hijack crypto wallets and blockchain transactions, underscoring the need for stronger OSS defences.