Supply Chain Attack Hijacks NPM Crypto Tools with Stealthy Browser Malware

A series of JavaScript packages on npm, including widely used tools like `chalk`, `debug`, and `ansi-styles`, were recently compromised by a sophisticated supply chain attack. The malicious code was injected into 18 packages, collectively accounting for over 2 billion weekly downloads. These packages are integral to web development and are commonly used in the cryptocurrency and Web3 ecosystems. The attack exploited a phishing campaign targeting package maintainers, with one maintainer, known as “qix,” reportedly falling victim to a deceptive email from a recently registered domain, `npmjs.help`. The email prompted the maintainer to update two-factor authentication settings, a common tactic to gain unauthorized access [1].

The compromised code introduced a cryptostealer that operates within the browser, manipulating crypto wallet interactions and redirecting transactions to attacker-controlled addresses. The malware targets multiple blockchain platforms, including EthereumETH--, SolanaSOL--, BitcoinBTC--, and LitecoinLTC--, by hooking into browser APIs such as `fetch` and `XMLHttpRequest`. It alters transaction data before it is signed by the user, making it difficult to detect. The attack leverages look-alike wallet addresses, using string-matching logic to make the changes appear legitimate to the untrained eye. This approach reduces the likelihood of user suspicion during transaction reviews [2].

According to security analysts, the malware operates at multiple levels—altering website content, API calls, and wallet transactions. It modifies what users see and interact with, ensuring that even if the UI appears correct, the underlying transaction is compromised. This multi-layered approach increases the stealth and effectiveness of the attack, making it particularly dangerous for Web3 developers and users. The malicious code was found to be active in the browser environment, monitoring for sensitive activity and rewriting transaction details in real time [3].

The attack was discovered quickly due to the responsiveness of the open-source community and security tools like Aikido Security and Semgrep. Upon notification, the affected maintainer began removing compromised versions, and many of the malicious packages were taken down before they could cause widespread damage. The speed of the response likely limited the attack’s impact. As of the latest reports, some packages, like `simple-swizzle`, remained compromised for a short period before being addressed. Despite the rapid response, the incident highlights the vulnerability of decentralized development ecosystems to targeted phishing attacks and the potential for widespread compromise through supply chain vulnerabilities [1].

In response, security experts recommend that developers implement additional safeguards, such as using `npm ci` in build pipelines to ensure exact dependency versions are installed. It is also advised to re-scan projects that may have included compromised versions during the attack window. Tools like Checkmarx Malicious Package and Semgrep have open-sourced detection rules to help identify whether a project was affected. The attack underscores the importance of maintaining strict access controls, phishing awareness, and continuous monitoring of package integrity in the JavaScript ecosystem [2].

Source: [1] npm debug and chalk packages compromised (https://www.aikido.dev/blog/npm-debug-and-chalk-packages-compromised) [2] Security Alert | chalk, debug and color on npm ... (https://semgrep.dev/blog/2025/chalk-debug-and-color-on-npm-compromised-in-new-supply-chain-attack) [3] Chalk And 17 Other NPM Packages Compromised In ... (https://checkmarx.com/zero-post/chalk-and-17-other-npm-packages-compromised-in-supply-chain-attack/)