The JavaScript ecosystem was hit by one of its biggest supply-chain incidents on Sept. 8, when a phished maintainer account pushed malicious updates to at least 18–20 popular npm packages, including chalk and debug, that collectively see ~2 billion weekly downloads.
The payload targeted crypto users by intercepting on-page wallet calls and swapping destination addresses.
How it happened
Investigators say the attacker impersonated npm support using the npmjs.help domain and a fake 2FA reset workflow to seize the account of prolific maintainer Qix (Josh Junon).
With access, the actor rapidly published tainted versions across a cluster of utilities (e.g., ansi-regex, strip-ansi, supports-color, wrap-ansi), before the breach was spotted and reversions began. Qix acknowledged the compromise publicly and said cleanup was underway.
Why crypto was in the crosshairs
The malware only activates in the browser. It checks for window, then hooks window.fetch, XMLHttpRequest, and Web3 wallet APIs like window.ethereum.request.
From there, it rewrites the recipient address to a look-alike using Levenshtein matching, a classic “clipper” move aimed at draining wallets on dapps and exchange front-ends.
The campaign broadened
Within hours, the same wallet-drainer surfaced via a second compromised maintainer, extending risk to packages such as @duckdb/node-api, duckdb, and prebid. That expansion underscores the blast radius when trusted publishers are hijacked.
Crypto Industry response
Ledger CTO Charles Guillemet warned users that the malware swaps addresses silently and urged on-device verification (clear-signing) before approving any transaction.
Security firms have published technical breakdowns and IOCs, while maintainers have reverted or deprecated bad builds. Separately, but relevant for risk posture, the Aug. 26 “s1ngularity”/Nx incident leaked developer secrets via compromised npm releases, illustrating how stolen tokens can seed follow-on package takeovers like this week’s wave.
What it means for web3 teams & users
-
If you build dapps or wallet UIs: Audit lockfiles for the exact bad versions listed in current advisories; rebuild from clean pins, purge caches/CDNs, and redeploy. Search bundles for code that hooks network calls or wallet APIs and alters addresses.
-
If you’re a crypto user: Prefer a hardware wallet and confirm the on-device address matches what you intended before signing.
-
For security/ops: Rotate npm/GitHub/CI tokens touched during the window; review recent installs and release pipelines. If you use Nx, follow the remediation steps in Aikido’s write-up.
Bottom line: This is likely the largest npm supply-chain hack to date, and its design expressly targets crypto transactions at the UI layer. Keeping users safe now hinges on rapid rebuilds, strict dependency pinning, and verifying every on-chain action at the hardware wallet screen.
