"Phishing Breach Unleashes Crypto-Stealing Malware in 2B+ npm Downloads"

A massive supply chain attack on the npm ecosystem has emerged, compromising widely used JavaScript packages and posing a significant risk to cryptocurrency transactions. On September 8, 2025, popular packages such as debug, chalk, and 16 other utility libraries were hijacked and pushed to npm with malicious code targeting blockchain wallets and transactions. These packages collectively have over 2 billion weekly downloads, amplifying the scale and potential damage of the attack [1].

The breach originated from a sophisticated phishing attack against the maintainer of the compromised packages, whose npm account was compromised via a fake 2FA reset email sent from a deceptive domain (npmjs.help). The attacker successfully collected the maintainer’s login credentials and a live TOTP code, enabling unauthorized access to publish malicious versions of the packages [2]. The malicious versions were active for approximately two hours before clean versions were republished and the affected accounts were flagged and locked by npm [1].

The malware, which operates in browser environments, primarily targets crypto transactions and web3 API calls. It employs advanced tactics such as intercepting wallet interactions—specifically, hooks into window.ethereum—to redirect outgoing transactions to attacker-controlled addresses. The malware also manipulates API responses using a Levenshtein "nearest match" algorithm to replace blockchain addresses with visually similar ones. Additionally, it supports multiple blockchains, including EthereumETH--, BitcoinBTC--, LitecoinLTC--, TronTRON--, BCH, and SolanaSOL-- [1]. Obfuscation techniques are used to mask its presence, with a global object named stealthProxyControl providing developer-like controls [3].

The attack has broader implications for mobile applications. Given the widespread use of JavaScript frameworks like React Native and Cordova, many mobile apps integrate npm packages for functionality. Security researchers identified that 190 mobile apps across iOS and Android platforms have dependencies on the compromised packages. While it is uncertain whether these apps used the malicious versions, the potential for exposure remains significant, especially as app store updates may take weeks to fully replace vulnerable code [2].

For developers and organizations, immediate action is advised. Developers are urged to audit their dependency trees and confirm whether affected versions are present in their lockfiles or deployments. Automated scanning tools and commands such as rg -u --max-columns=80 _0x112fa8 can help identify the presence of malicious code. Developers should also pin dependencies to safe versions and update runtime monitoring systems to detect unusual network behavior [1]. For mobile apps, it is recommended to prioritize emergency updates and maintain vigilance in the app review process due to the delays inherent in app store distribution [2].

Security solutions such as Upwind and NowSecure offer tools to detect and mitigate the impact of such attacks. These platforms provide continuous monitoring for suspicious behavior, dependency scanning for vulnerable packages, and behavioral analytics to detect obfuscated scripts [1]. Mobile users are advised to monitor their accounts for unauthorized transactions, enable 2FA, and update apps as patches become available [2]. As the npm ecosystem continues to play a foundational role in software development, this incident highlights the urgent need for stronger security measures in open-source package management and developer authentication practices [3].

Source: [1] npm Supply Chain Attack: Massive Compromise of debug ... (https://www.upwind.io/feed/npm-supply-chain-attack-massive-compromise-of-debug-chalk-and-16-other-packages) [2] Major NPM Supply-Chain Attack: Potential Impact on ... (https://www.nowsecure.com/blog/2025/09/08/major-npm-supply-chain-attack-potential-impact-on-mobile-applications/) [3] npm Supply Chain Attack via Open Source maintainer ... (https://snyk.io/blog/npm-supply-chain-attack-via-open-source-maintainer-compromise/)