"Code Supply Chains Under Fire: Malware Hides in Job Ads and npm Packages"

A new malware campaign is exploiting fake job advertisements to compromise Windows, Mac, and Linux systems and target crypto wallets, bypassing conventional antivirus detection mechanisms. Dubbed ModStealer, the malware was discovered by security firm Mosyle, who reported it had evaded detection by major antivirus engines for nearly a month. The malware is distributed through social engineering tactics, specifically fake job ads that target developers, leveraging the fact that these users often have Node.js environments installed. Once executed, ModStealer scans for browser-based crypto wallet extensions, system credentials, and digital certificates, exfiltrating the data to remote command-and-control servers. The malware also employs persistence methods, such as disguising itself as a background helper program on macOS systems, ensuring it runs automatically upon device startup. Signs of infection include the presence of a hidden file named “.sysupdater.dat” and connections to suspicious servers.

In a parallel development, attackers have compromised 18 popular npm packages — including widely used libraries like chalk, debug, and supports-color — to inject malware that secretly redirects crypto transactions. The malicious updates were pushed on Sept. 8, 2025, after the maintainer's account was compromised via a phishing attack. These packages collectively receive approximately 2 billion downloads per week, making the attack's potential impact vast. The malware operates in the browser, intercepting network requests and altering transaction parameters. For EthereumETH--, it reroutes approvals and transfers to attacker-controlled accounts. For SolanaSOL--, it modifies instruction accounts and recipients. Aikido researchers highlighted the attack's multi-layered nature, noting that it alters content displayed on websites, tampers with API calls, and manipulates user applications. Despite the scale of the attack, the financial gains were minimal. On-chain data shows the attacker received only around five cents of Ethereum and approximately $20 worth of an illiquid memecoin. Nevertheless, the broader implications are significant, as the attack underscores how adversaries are increasingly targeting open-source maintainers to weaponize ubiquitous utility packages.

The compromise of the npm maintainer, known as “qix,” allowed attackers to republish every package under their control with a crypto-focused payload. The phishing email, which originated from a spoofed support@npmjs.help domain, led to the theft of credentials and 2FA codes. Once inside, the attackers embedded code that checked for the presence of window.ethereum and silently rerouted Ethereum transactions to a single wallet. For Solana, the malware overwrote recipients with an invalid string, effectively breaking transfers. Additionally, the code intercepted network requests and replaced wallet addresses in JSON responses with 280 hardcoded alternatives, making the malicious activity difficult to detect.

Cybersecurity firm Aikido emphasized the stealthy and multi-layered nature of the attack, noting that the malware's ability to alter user interactions and network requests without triggering alarms makes it particularly dangerous. Organizations affected by the attack are advised to remove the malicious versions of the npm packages, enforce strict version pinning, and rotate credentials to prevent future compromises. Additionally, monitoring for suspicious API hooks and wallet activity is critical to detecting similar threats. The incident highlights a broader trend in which adversaries exploit human and technical vulnerabilities in the software supply chain to deploy malicious payloads at scale.

The discovery of ModStealer and the npm attack collectively demonstrate an evolving threat landscape in which cybercriminals are leveraging sophisticated evasion techniques and multi-platform malware to exploit the crypto ecosystem. Researchers have noted that ModStealer stands out for its ability to operate across Windows, Linux, and macOS without detection, making it a significant risk to users managing digital assets. Unlike traditional malware, ModStealer captures clipboard data, takes screenshots, and executes remote code, giving attackers near-complete control over compromised devices. Meanwhile, the npm attack, while not yielding substantial financial gains, exposed vulnerabilities in the Node.js ecosystem that could be exploited more effectively in the future. Cybersecurity firms are urging developers and users to adopt proactive security measures, including AI-powered threat detection and behavioral monitoring, to counter such stealthy attacks. The operationalization of cybercrime, as described by SentinelOneS--, is shifting the threat landscape from isolated incidents to highly organized, business-like operations with focused agendas.