Ethereum News Today: "Malware Hijacks Crypto Transactions via Popular npm Packages"

Ledger CTO has recently issued a warning to cryptocurrency users to closely monitor on-chain transactions, citing the discovery of a widespread supply chain attack involving several popular JavaScript packages on npm. The compromised packages, which include widely used tools such as chalk, debug, and ansi-styles, have collectively exceeded 2 billion weekly downloads. These packages were found to contain malicious code designed to intercept and manipulate crypto and web3 activity within browsers, redirecting funds and approvals to attacker-controlled accounts without the user’s awareness [1].

The malware works by injecting itself into core browser functions such as fetch, XMLHttpRequest, and common wallet interfaces like window.ethereumETH--. It silently rewrites transaction parameters and payment destinations before they are presented to the user for signing. This allows attackers to alter Ethereum, SolanaSOL--, and other blockchain transactions in the background, making it possible for legitimate transactions to be rerouted without the user noticing [1]. The attack also leverages “look-alike” addresses—string-based replacements that mimic legitimate addresses to avoid immediate detection [1].

The scale and sophistication of the attack were uncovered after a maintainer of one of the affected packages reported being compromised via a phishing email. The email, sent from a newly registered domain "npmjs.help," led to the unauthorized access of the maintainer’s npm account and the subsequent publishing of malicious versions of the packages. The maintainer confirmed the breach via Bluesky and began removing the compromised packages. However, some packages, including simple-swizzle, remained affected at the time of reporting [1].

Following the initial breach, a second package, proto-tinker-wc@0.1.87, was found to be compromised by the same attackers, indicating a coordinated effort. The malicious code in this package was embedded in the dist/cjs/proto-tinker.cjs.entry.js file [1]. The attack is not limited to a single platform or wallet; it is designed to work across multiple blockchain ecosystems, including Ethereum, BitcoinBTC--, Solana, TronTRON--, LitecoinLTC--, and Bitcoin CashBCH-- [1].

The incident highlights the vulnerabilities in the supply chain of open-source software and the risks associated with relying on widely used libraries. The malicious code was able to remain undetected for a period of time due to its sophisticated obfuscation and multi-layered manipulation of both front-end and back-end functions. Ledger’s CTO emphasized the importance of users verifying on-chain transactions using blockchain explorers and double-checking the final transaction details before approving any transfers [1].

The attack has prompted renewed calls for greater scrutiny of npm packages, particularly those with high download volumes. The affected packages are now under investigation, and the npm community is advised to monitor updates from the package maintainers and security experts. Tools like Aikido Safe-Chain were promoted as potential solutions for detecting and mitigating such threats [1].

Source: [1] npm debug and chalk packages compromised (https://www.aikido.dev/blog/npm-debug-and-chalk-packages-compromised) [2] npm - a JavaScript package manager (https://www.npmjs.com/package/npm)