Symbols

Ethereum News Today:

Generated by AI AgentCoin World

Monday, Sep 8, 2025 3:24 pm ET2min read

Aime Summary

- A historic supply chain attack compromised popular npm packages like `ansi-styles` and `chalk`, infecting 2B+ weekly downloads to steal crypto funds via browser-based transaction manipulation.

- Attackers used phishing to breach a core developer's npm account, injecting stealth malware that hijacks browser APIs and redirects crypto to attacker-controlled "lookalike" addresses.

- Aikido security firm discovered the breach, prompting partial cleanup, but packages like `simple-swizzle` still contained malicious code at reporting, highlighting open-source supply chain vulnerabilities.

- The attack underscores risks of credential phishing in developer ecosystems, with malware capable of altering unsigned crypto transactions while avoiding UI detection cues.

- While limited to crypto theft, the incident demonstrates how widely-used open-source tools can be weaponized, urging stronger authentication and dependency verification practices.

One of the most significant supply chain attacks in history has been identified, impacting millions of cryptocurrency users globally. The attack leveraged compromised JavaScript packages on the npm (Node Package Manager) platform, a critical tool for developers working in the JavaScript ecosystem. The compromised packages, including widely used tools such as `ansi-styles`, `debug`, `chalk`, and others, collectively accounted for over 2 billion weekly downloads before the breach was detected [2]. The malicious code injected into these packages is designed to intercept and manipulate cryptocurrency transactions in the browser, redirecting funds to attacker-controlled addresses [2].

The attack appears to have originated from a phishing campaign targeting the npm account of a core developer. A phishing email, reportedly sent from a domain registered just days before the incident, successfully compromised the developer's credentials. This enabled the attackers to push malicious updates to the affected packages. Once installed, the malware injects itself into web browsers, hijacking core functions like `fetch`, `XMLHttpRequest`, and wallet APIs such as `window.ethereum`. It then silently intercepts and alters transaction data, including wallet addresses and transaction parameters, to divert cryptocurrency assets without the user’s knowledge [2].

The malware is particularly sophisticated in its ability to operate stealthily. It uses "lookalike" addresses—addresses that visually resemble the intended destination—to obscure the redirection of funds. Additionally, it manipulates EthereumETH-- and SolanaSOL-- transactions before they are signed by the user, meaning even a seemingly legitimate transaction may result in funds being sent to the wrong address. The malware also avoids obvious UI changes when a crypto wallet is detected, reducing the likelihood of detection by users [2].

Security firm Aikido first identified the compromised packages and immediately alerted the affected maintainer. The developer responded by initiating a cleanup process, but at the time of the report, some packages, such as `simple-swizzle`, still contained malicious code. The attackers also attempted to compromise another package, `proto-tinker-wc@0.1.87`, using similar methods [2]. The incident highlights a critical vulnerability in the open-source software supply chain and underscores the importance of robust authentication and phishing protection for developers.

The impact of the attack, while primarily focused on cryptocurrency transactions, could have broader implications if the malware had included more invasive capabilities, such as backdoors or data exfiltration. Fortunately, the attackers appear to have prioritized crypto-related manipulation, which limited the scope of the breach [2]. Still, the sheer popularity of the affected packages makes this one of the most far-reaching supply chain attacks in history.

As the incident unfolds, it serves as a stark reminder of the risks associated with open-source software and the potential for malicious actors to exploit widely used tools. Developers and organizations are being urged to verify the integrity of their dependencies and consider solutions like Aikido's Safe-Chain to mitigate similar risks in the future [2].

Source:

[1] npm - a JavaScript package manager (https://www.npmjs.com/package/npm)

[2] Largest NPM Compromise in History - Supply Chain Attack (https://www.redditRDDT--.com/r/programming/comments/1nbqt4d/largest_npm_compromise_in_history_supply_chain/)

[3] npm debug and chalk packages compromised (https://www.aikido.dev/blog/npm-debug-and-chalk-packages-compromised)

[4] Ethereum Layer 2 Kinto shuts down in wake of $1.6 million ... (https://www.theblock.co/post/369731/ethereum-layer-2-kinto-shuts-down-in-wake-of-1-6-million-july-exploit)

[5] Nemo Protocol Hacked for $2.4M, Funds Already Bridged to ... (https://finance.yahoo.com/news/nemo-protocol-hacked-2-4m-081422991.html)

Coin World

Quickly understand the history and background of various well-known coins

Latest Articles

Stay ahead of the market.

Get curated U.S. market news, insights and key dates delivered to your inbox.

Comments

﻿

Add a public comment...

No comments yet

AInvest
PRO

Editorial Disclosure & AI Transparency: Ainvest News utilizes advanced Large Language Model (LLM) technology to synthesize and analyze real-time market data. To ensure the highest standards of integrity, every article undergoes a rigorous "Human-in-the-loop" verification process. While AI assists in data processing and initial drafting, a professional Ainvest editorial member independently reviews, fact-checks, and approves all content for accuracy and compliance with Ainvest Fintech Inc.’s editorial standards. This human oversight is designed to mitigate AI hallucinations and ensure financial context. Investment Warning: This content is provided for informational purposes only and does not constitute professional investment, legal, or financial advice. Markets involve inherent risks. Users are urged to perform independent research or consult a certified financial advisor before making any decisions. Ainvest Fintech Inc. disclaims all liability for actions taken based on this information. Found an error?Report an Issue