"Malware Hides in Billions of Code Downloads, Stealing Crypto in Plain Sight"

Hackers have launched one of the largest supply chain attacks in crypto history by compromising popular JavaScript libraries on the Node Package Manager (NPM) platform, which are downloaded over two billion times weekly. The breach involved injecting malicious code into widely used packages such as `chalk`, `strip-ansi`, and `color-convert`, which are embedded in the dependency trees of countless projects. Even developers who have never directly installed these packages could still be at risk due to their widespread integration into JavaScript ecosystems [1].

The attack introduced a type of malware known as a "crypto-clipper," which secretly modifies wallet addresses during transactions to divert funds to attacker-controlled addresses. According to Security AllianceAENT--, a crypto intelligence firm, the malware has so far stolen less than $50 from the crypto space—initially just five cents worth of Ether (ETH), with an additional $20 in memecoins such as Brett (BRETT) and Andy (ANDY) reportedly affected [1]. This low amount has raised concerns that the true scale of the damage may not yet be fully realized, with more transactions potentially being compromised.

The packages targeted in the breach are considered foundational utilities within the JavaScript development environment. Their high frequency of use—billions of weekly downloads—has heightened concerns about the vulnerability of open-source ecosystems to malicious manipulation. The NPM platform functions similarly to an app store for developers, where small code packages are shared and used to build larger applications [2]. The breach has exposed the potential for attackers to exploit these shared dependencies on a massive scale, without direct installation by the end user.

Security experts, including Charles Guillemet, Chief Technology Officer at Ledger, have issued urgent warnings to crypto users and developers. Guillemet emphasized the importance of verifying on-chain transactions carefully, particularly for users of software wallets, which may be more susceptible to this type of attack. Hardware wallet users are advised to ensure each transaction is manually reviewed before signing [2]. The malware’s potential to intercept seed phrases remains unclear, but its ability to alter transaction data underscores the severity of the threat.

Efforts to mitigate the damage have already begun. The malicious code has been removed from the affected packages, and the NPM security team is working to resolve the issue. Developers are being urged to audit their project dependencies and pin affected packages to their last known safe versions using override features in their `package.json` files [3]. The incident has sparked broader discussions about the need for stronger security measures in open-source software supply chains, especially given the critical role NPM and similar platforms play in modern software development.

Source:

[1] Largest NPM attack in crypto history stole less than $50 (https://cointelegraph.com/news/large-scale-npm-attack-compromised-less-50-dollars)

[2] Crypto users urged to take extreme care as NPM attack hits ... (https://cointelegraph.com/news/npm-attack-crypto-stealing-malware-into-core-javascript-libraries)

[3] Ledger CTO Warns Of Crypto Clipper Malware Following ... (https://www.mitrade.com/insights/news/live-news/article-3-1105645-20250909)