Symbols

Ethereum News Today: "Phished NPM Maintainer Enables $50 Crypto Heist via 2 Billion Downloads"

Generated by AI AgentCoin World

Monday, Sep 8, 2025 6:51 pm ET3min read

Aime Summary

- Hackers executed crypto's largest supply chain attack by injecting malware into NPM's widely used JavaScript libraries like chalk and color-convert, affecting billions of downloads.

- Malware alters Ethereum/Solana transactions by silently swapping wallet addresses, with Aikido Security detecting the breach within an hour to limit losses to under $50 in stolen crypto.

- Attack exploited a phishing-compromised maintainer's account to modify 18 packages, prompting warnings for developers to roll back to secure versions and for users to verify transactions carefully.

- Security firms emphasize the vulnerability of open-source ecosystems, urging dependency audits and proactive monitoring as attackers increasingly target foundational software infrastructure.

Hackers have launched what is being described as the largest supply chain attack in crypto history, exploiting the node package manager (NPM) to inject malware into widely used JavaScript libraries. The malicious code, which affects core utilities such as chalk, strip-ansi, and color-convert, has been downloaded billions of times, exposing countless applications and projects to potential compromise. These libraries are embedded deep within the dependency chains of JavaScript applications, meaning even developers who did not install them directly could be affected. The malware is designed to intercept and alter cryptocurrency transactions, particularly targeting EthereumETH-- and SolanaSOL-- wallets. By swapping wallet addresses silently during transactions, the attackers redirect funds without the user’s knowledge, making it appear as if the transfers are legitimate.

Security intelligence firm Aikido Security reported that the attack was detected and disclosed within an hour of its discovery, limiting the damage to a relatively small amount—less than $50 stolen in cryptocurrency so far. The malicious activity included stealing 5 cents worth of Ethereum and $20 worth of memecoins, according to Security AllianceAENT--, a crypto intelligence platform. The minimal financial loss is attributed to the swift response from the security community and the early detection of the breach. Aikido’s analysis revealed that the malware hooks into popular wallet APIs, such as MetaMask and Phantom, and operates at both the browser and API levels. This allows it to alter transaction data before users sign, making the fraudulent transfers appear legitimate. The malicious code also intercepts network traffic and modifies transaction payloads, approvals, and even Solana’s signing flow.

The breach exploited a compromised NPM account belonging to a long-trusted maintainer, who was reportedly the victim of a phishing email. The attacker altered 18 popular packages, including chalk, debug, and ansi-styles, which together have more than two billion weekly downloads. The maintainer confirmed on Bluesky that access to his account was lost after the phishing attack. Some of the packages remain compromised, and developers are advised to roll back to known safe versions to mitigate risks. The malicious code has already been removed from many of the affected packages, but the situation remains fluid. Security researchers emphasized that the attack underscores the vulnerabilities in open-source software supply chains, particularly for ecosystems where dependencies are deeply nested and often updated without user awareness.

Ledger’s Chief Technology Officer, Charles Guillemet, issued a warning urging crypto users to exercise extreme caution when confirming onchain transactions. He highlighted the risks associated with using software wallets, particularly those not secured by hardware-based authentication. For users who rely on hardware wallets, careful verification of every transaction is advised to prevent falling victim to the attack. The security firm Aikido has been monitoring the situation closely and is providing live updates through its official blog, helping developers stay informed and take proactive measures. Guillemet also stressed the importance of auditing project dependencies and pinning affected packages to their last known secure versions. This attack serves as a critical reminder of the growing sophistication of cyber threats targeting the cryptocurrency ecosystem and the importance of robust security practices for developers and users alike.

Security Alliance, one of the first to report the breach, noted that the scale of the attack could have been far more damaging had the malicious code not been detected so quickly. The firm emphasized that the attackers’ access to widely used code packages could have allowed them to compromise millions of developer workstations. Despite the relatively small amount stolen, the attack highlights the potential for large-scale exploitation in future attacks. The firm also pointed out that the compromised Ethereum wallet address, identified as “0xFc4a48,” has only been used to receive a limited number of assets so far. However, the situation remains active, and further developments could change the scope of the breach. Researchers are continuing to monitor the behavior of the malicious address and analyze the extent of its activity across different blockchains.

The attack underscores the need for increased vigilance in the open-source development community and the importance of rapid response mechanisms to contain and mitigate breaches. As the cryptocurrency ecosystem continues to evolve, so too do the tactics of cybercriminals seeking to exploit vulnerabilities in widely used infrastructure. The incident involving NPM and the compromised JavaScript libraries serves as a wake-up call for developers and project maintainers to strengthen their security protocols and prioritize dependency management. It also highlights the critical role that security firms, such as Aikido Security and Security Alliance, play in identifying and responding to threats in real-time. With the potential for more sophisticated attacks in the future, the industry must remain proactive in safeguarding the foundational tools that underpin modern software development and blockchain applications.

Source: [1] Crypto users urged to take extreme care as NPM attack hits ... (https://cointelegraph.com/news/npm-attack-crypto-stealing-malware-into-core-javascript-libraries) [2] npm Packages With 2 Billion Weekly Downloads Hacked in ... (https://hackread.com/npm-packages-2-billion-downloads-hacked-attack/) [3] Largest npm attack in crypto history stole less than $50: SEAL (https://cointelegraph.com/news/large-scale-npm-attack-compromised-less-50-dollars) [4] Ledger CTO Warns Of Crypto Clipper Malware Following ... (https://www.mitrade.com/insights/news/live-news/article-3-1105645-20250909)

Coin World

Quickly understand the history and background of various well-known coins

Latest Articles

Stay ahead of the market.

Get curated U.S. market news, insights and key dates delivered to your inbox.

Comments

﻿

Add a public comment...

No comments yet

AInvest
PRO

Editorial Disclosure & AI Transparency: Ainvest News utilizes advanced Large Language Model (LLM) technology to synthesize and analyze real-time market data. To ensure the highest standards of integrity, every article undergoes a rigorous "Human-in-the-loop" verification process. While AI assists in data processing and initial drafting, a professional Ainvest editorial member independently reviews, fact-checks, and approves all content for accuracy and compliance with Ainvest Fintech Inc.’s editorial standards. This human oversight is designed to mitigate AI hallucinations and ensure financial context. Investment Warning: This content is provided for informational purposes only and does not constitute professional investment, legal, or financial advice. Markets involve inherent risks. Users are urged to perform independent research or consult a certified financial advisor before making any decisions. Ainvest Fintech Inc. disclaims all liability for actions taken based on this information. Found an error?Report an Issue