Ethereum News Today: JavaScript's Hidden Thief: How a Billion-Download Hack Silently Steals Crypto
Aime SummaryLedger CTO Charles Guillemet has raised alarms about a large-scale supply chain attack affecting the Node Package Manager (NPM) ecosystem, warning users to be vigilant with their on-chain transactions. The attack involves a compromised NPM account of a reputable developer, which has led to malicious code being pushed into widely used packages with over 1 billion downloads globally. This malicious code is designed to silently swap cryptocurrency wallet addresses during transactions, potentially redirecting users’ funds to the attacker’s address without their knowledge [1].
Guillemet emphasized that the attack highlights the vulnerabilities in open-source software ecosystems, where a single compromised developer account can ripple into the broader crypto economy. He specifically warned that if any decentralized application or software wallet integrates the compromised JavaScript packages, users could lose funds. The scale of the attack is underscored by the sheer number of downloads the affected packages have received, suggesting that a vast portion of the JavaScript ecosystem may already be at risk [1].
To mitigate the risk, Guillemet advised users to utilize hardware wallets that support "Clear Signing," which allows users to verify the exact transaction details, including the destination address, before signing. Hardware wallets with secure screens provide a critical defense against such attacks by ensuring that users can visually confirm the transaction details. He stressed that wallets without these features are at heightened risk, as users cannot accurately verify whether the transaction details are correct [1].
In response to the attack, several actions have been taken to contain the damage. The compromised NPM packages were reportedly disabled by NPM, and efforts are underway for developers to audit their dependencies and patch their code. However, users who updated their dependencies in the last few hours may still be vulnerable until their applications are reviewed [1]. In parallel, another campaign, dubbed "GhostAction," was revealed by GitGuardian, in which attackers compromised GitHub repositories to steal secrets from CI/CD workflows. This campaign resulted in the exfiltration of 3,325 secrets, including NPM tokens, DockerHub credentials, and GitHub tokens, creating potential supply chain risks [4].
In light of these incidents, cybersecurity tools and platforms are developing new measures to prevent such attacks. StepSecurity recently introduced the "NPM Package Cooldown Check," a GitHub pull request check that blocks the immediate adoption of newly released npm packages, allowing a waiting period for vetting. This measure is designed to give teams time to evaluate new package releases and reduce the likelihood of incorporating malicious code into their workflows [5]. The Cooldown Check is part of a broader strategy to integrate security into the development lifecycle, preventing attacks before they can be exploited.
The growing complexity of these attacks underscores the need for continuous vigilance and proactive security measures in the open-source and cryptocurrency ecosystems. Developers and organizations are urged to enforce stricter vetting of open-source packages, maintainers, and smart contract interactions. As attackers increasingly leverage sophisticated techniques—such as weaponizing EthereumETH-- smart contracts to deliver malware—the importance of robust security protocols and community cooperation in detecting and mitigating threats becomes paramount [6].
Source: [1] Ledger CTO Warns of NPM Supply-Chain Attack Hitting 1b Downloads (https://www.coindesk.com/tech/2025/09/08/ledger-cto-warns-of-npm-supply-chain-attack-hitting-1b-downloads) [2] Ledger CTO Warns of Shocking NPM Attacks by Crypto Hackers (https://www.thestreet.com/crypto/markets/ledger-cto-warns-of-shocking-npm-attacks-by-crypto-hackers) [3] Ledger Warns Halt Onchain Transactions Massive NPM Supply-Chain Attack (https://www.theblock.co/post/369893/ledger-warns-halt-onchain-transactions-massive-npm-supply-chain-attack?utm_medium=rss&utm_source=news.xml) [4] The GhostAction Campaign: 3325 Secrets Stolen Through GitHub Actions (https://blog.gitguardian.com/ghostaction-campaign-3-325-secrets-stolen) [5] Introducing the NPM Package Cooldown Check (https://www.stepsecurity.io/blog/introducing-the-npm-package-cooldown-check) [6] Ethereum Smart Contracts Weaponized in NPM Supply Chain Attack (https://www.betterworldtechnology.com/post/ethereum-smart-contracts-weaponized-in-npm-supply-chain-attack-targeting-crypto-developers)
Stay ahead of the market.
Get curated U.S. market news, insights and key dates delivered to your inbox.
Comments
No comments yet