Ethereum News Today: "1 Billion Downloads Compromised: How Malware Hijacked Crypto Transactions via NPM"
Aime SummaryLedger CTO Charles Guillemet has raised concerns about a large-scale supply chain attack targeting the JavaScript ecosystem through compromised Node Package Manager (NPM) packages. The attack, according to Guillemet, involves the manipulation of wallet addresses in cryptocurrency transactions, potentially redirecting funds to attacker-controlled accounts without user awareness [7]. This development highlights the growing risks within open-source software ecosystems, where vulnerabilities in widely used tools can have cascading effects across the digital economy [7].
The compromised NPM account is attributed to a respected developer, with malicious code already distributed across packages boasting over 1 billion cumulative downloads. These packages have been exploited to inject harmful payloads that manipulate transaction destinations, thereby enabling attackers to siphon funds silently [7]. The incident underscores the importance of robust security measures in software development, particularly for tools that are frequently integrated into critical blockchain applications and wallets [7]. Guillemet emphasized the necessity of using hardware wallets with secure screens to verify transaction details before signing, as this provides a critical layer of protection against such attacks [7].
Aikido's security intelligence feed detected the initial compromise on September 8, 2025, highlighting the widespread impact of the malicious packages. Eighteen packages, including popular ones like chalk, debug, and ansi-styles, were found to be compromised. These packages collectively account for over 2 billion weekly downloads, indicating the potential scale of exposure [2]. The malicious code is designed to intercept and manipulate crypto activity in browsers, altering transaction parameters and redirecting payments to attacker-controlled accounts [2]. The threat actor leveraged phishing techniques to gain access to the developer's NPM account, demonstrating the effectiveness of social engineering in compromising software supply chains [2].
The malicious code operates by injecting itself into core browser functions, such as fetch and XMLHttpRequest, and hooks into wallet APIs to monitor and manipulate crypto-related transactions. It stealthily captures sensitive data, including wallet addresses and transfer details, and replaces legitimate destinations with attacker-controlled addresses using lookalike string-matching techniques [2]. This allows the malware to remain undetected while altering transactions before they are signed by the user [2]. Despite these sophisticated tactics, the maintainer of the compromised packages began cleaning up the affected packages shortly after being notified [2]. However, some packages, like simple-swizzle, were still compromised at the time of reporting [2].
ReversingLabs also identified a separate but related campaign involving the use of EthereumETH-- smart contracts to deliver malware via npm packages such as colortoolsv2 and mimelib2. These packages were part of a broader effort to deceive developers into incorporating malicious code into their projects, with the smart contracts used to host the URLs of the command-and-control servers [3]. This innovative approach to malware delivery highlights the evolving nature of supply chain attacks and the increasing sophistication of threat actors in leveraging blockchain technologies for malicious purposes [3]. The campaign also involved the creation of fake GitHub repositories and accounts to boost the legitimacy of the malicious packages, underscoring the multifaceted nature of such threats [3].
The GhostAction campaign, as identified by GitGuardian, further illustrates the scale of the threat, with 327 GitHub users and 817 repositories compromised to exfiltrate over 3,325 secrets, including PyPI, npm, and DockerHub tokens [5]. These stolen credentials pose an ongoing risk to the software supply chain, as they could be used to publish malicious artifacts or gain unauthorized access to production environments [5]. The campaign was detected through GitGuardian’s internal monitoring, which led to the rapid identification and mitigation of the threat [5]. The exfiltration endpoint used in the campaign was later taken offline, indicating the attackers’ attempts to evade detection [5].
The interconnected nature of these supply chain threats highlights the need for developers and organizations to adopt rigorous security practices. This includes thorough vetting of open-source packages and their maintainers, as well as continuous monitoring for signs of compromise. The use of hardware wallets with secure screens, as recommended by Ledger’s CTO, remains a critical defense against transaction manipulation attacks [7]. Additionally, the implementation of branch protection rules and secret exfiltration policies within CI/CD pipelines can help prevent unauthorized changes and detect malicious activity early [5]. As supply chain attacks become increasingly sophisticated, proactive security measures are essential to safeguarding the integrity of software ecosystems and the assets they support.
Source: [1] Largest NPM Compromise in History - Supply Chain Attack (https://www.redditRDDT--.com/r/programming/comments/1nbqt4d/largest_npm_compromise_in_history_supply_chain/) [2] npm debug and chalk packages compromised (https://www.aikido.dev/blog/npm-debug-and-chalk-packages-compromised) [3] Ethereum smart contracts used to push malicious code on ... (https://www.reversinglabs.com/blog/ethereum-contracts-malicious-code) [4] The GhostAction Campaign: 3325 Secrets Stolen Through ... (https://blog.gitguardian.com/ghostaction-campaign-3-325-secrets-stolen/) [5] GhostAction Campaign: Over 3000 Secrets Stolen Through ... (https://www.stepsecurity.io/blog/ghostaction-campaign-over-3-000-secrets-stolen-through-malicious-github-workflows) [6] Dark web vendors distribute fake Ledger wallet pages ... (https://finance.yahoo.com/news/dark-vendors-distribute-fake-ledger-181419230.html) [7] Ledger CTO Warns of NPM Supply-Chain Attack Hitting ... (https://www.coindesk.com/tech/2025/09/08/ledger-cto-warns-of-npm-supply-chain-attack-hitting-1b-downloads) [8] Ledger CTO warns of shocking NPM attacks by crypto ... (https://www.thestreet.com/crypto/markets/ledger-cto-warns-of-shocking-npm-attacks-by-crypto-hackers)
Stay ahead of the market.
Get curated U.S. market news, insights and key dates delivered to your inbox.
AInvest
PRO
AInvest
PRO
Comments
No comments yet