"Hidden Hackers Rewriting Crypto Addresses in Billions of Downloads"

A major cybersecurity breach has placed cryptocurrency users worldwide at heightened risk, as hackers infiltrated the npm account of a widely recognized developer and injected malicious code into popular JavaScript libraries. These libraries, used extensively across the internet, are downloaded over a billion times weekly, making this one of the largest software supply-chain attacks in history [1]. The breach has led to the distribution of a sophisticated “crypto-clipper” malware capable of altering transactions and redirecting funds without the user’s knowledge [1].

The malware operates in two primary ways. When a user does not have a crypto wallet detected, the code scans websites for cryptocurrency addresses and replaces them with attacker-controlled addresses that are visually indistinguishable from the original [1]. In cases where a wallet such as MetaMask is present, the malware intercepts transaction data and changes the recipient address to that of the attacker. If the user signs the transaction without verifying the details, their funds are redirected to the hacker’s account [1]. The attack exploits browser-based wallets by intercepting common web functions such as `fetch` and `XMLHttpRequest`, enabling it to manipulate data before it reaches the wallet interface [1].

The initial compromise occurred through the npm account of a developer known as Qix. Hackers published malicious updates across dozens of packages, which were then automatically installed by developers who updated their projects. The breach was only discovered after a build error revealed suspicious, unreadable code in one of the updated packages [1]. Security experts emphasize that this incident highlights the vulnerabilities within the open-source software ecosystem, where a single compromised account can lead to widespread exposure [1].

Given the scope and complexity of the breach, cybersecurity experts are urging all crypto users to take immediate steps to protect their assets. One of the key recommendations is to always verify transaction details on the wallet’s confirmation screen or hardware device before signing [1]. Users are advised to pause transactions if they are unsure whether their software or browser-based wallet is affected. Additionally, checking recent transaction history for anomalies and revoking suspicious approvals are also recommended [1].

For those sending funds to new addresses, it is advised to conduct a small test transaction first to ensure that the address is legitimate. Security professionals also emphasize that hardware wallets, which display transaction data on a separate screen, remain the most secure option for managing digital assets [1]. In response to the breach, MetaMask has introduced new tools such as Kipuka, a security utility that isolates package installations in containers to prevent malicious scripts from executing [2]. This development comes as part of MetaMask’s broader effort to strengthen the security of the decentralized ecosystem against increasingly sophisticated cyber threats.

The incident underscores the fragility of trust in the open-source software supply chain. Despite efforts to remove the malicious code, some compromised versions may remain online for weeks. As the situation continues to evolve, users are urged to remain vigilant and verify every transaction carefully. A single overlooked detail, such as a subtly altered wallet address, could result in the loss of funds [1]. In light of the breach, the broader cryptocurrency community is reevaluating the role of security infrastructure, with some organizations exploring the integration of zero-knowledge cryptographic tools to enhance privacy and compliance [2].

Source:

[1] Major Crypto Hack Warning: Your Wallet Funds Are Now at Risk (https://beincrypto.com/major-crypto-hack-warning-wallets-at-risk/)

[2] MetaMask Security Report: August 2025 (https://metamask.io/news/metamask-security-report)