Ethereum News Today: "Phishing Breach Turns NPM Libraries Into Crypto-Stealing Weapons"

Generated by AI AgentCoin World
Monday, Sep 8, 2025 6:43 pm ET2min read
BTC--
ETH--
INTZ--
SOL--
Aime RobotAime Summary

- Hackers injected crypto-clipper malware into high-profile NPM libraries like chalk and ansi-styles, marking the largest supply chain attack in NPM history.

- The malware alters wallet addresses during transactions by hijacking browser functions, affecting over 2 billion weekly downloads and exposing users to undetected crypto theft.

- Aikido Security discovered the breach within an hour via a phishing attack on a trusted maintainer, though some packages like simple-swizzle remain compromised.

- Despite limited financial losses (<$50 stolen so far), experts warn of systemic risks to open-source ecosystems and urge developers to audit dependencies and use hardware wallets.

Hackers compromised widely used JavaScript libraries in what experts are calling the largest supply chain attack in the history of the Node Package Manager (NPM), a central repository for JavaScript developers. The breach affected high-profile packages such as chalk, strip-ansi, and ansi-styles, which are collectively downloaded over two billion times per week. These libraries are embedded in the dependency chains of countless applications, meaning even developers who did not directly install them could be exposed to the malicious code. The injected malware, identified as a crypto-clipper, is designed to alter wallet addresses during transactions, potentially diverting cryptocurrency to attacker-controlled addresses without the user's knowledge [1].

The attack was discovered and disclosed within an hour by Aikido Security following a phishing attempt that compromised the account of a long-trusted NPM maintainer. The malicious code was found to be active in several popular packages, including debug, chalk, and ansi-styles. According to analysis, the malware modifies functions like fetch and XMLHttpRequest, enabling it to hook into browser-based wallets such as MetaMask and Phantom, as well as intercept transaction data across multiple blockchain networks including EthereumETH--, BitcoinBTC--, and SolanaSOL--. This level of intrusionINTZ-- means that developers who updated these packages could be unknowingly exposing users to financial risks when interacting with Web3 applications [2].

Security researchers from Aikido Security emphasized that the malware’s scope is not limited to transaction redirection. It operates at both the browser and API levels, making it difficult to detect and allowing fraudulent transfers to appear legitimate. The malicious code also recognizes various cryptocurrency formats and rewrites them with lookalike addresses, which could mislead users into thinking transactions are going to the correct recipients. In addition to transaction manipulation, the malware intercepts network traffic and application calls, further enhancing its stealth and effectiveness [2].

Despite the scale and sophistication of the attack, the financial losses so far have been relatively limited. According to Security AllianceAENT--, the malware has only stolen less than $50 in cryptocurrency, including a small amount of Ether and several memecoins. The affected Ethereum wallet address was identified as “0xFc4a48,” and while the initial theft was just 5 cents in ETH, it has since increased slightly, suggesting the potential for larger losses if the malware remains active. However, the rapid detection and removal of the malicious code have significantly limited the damage [3].

Charles Guillemet, the Chief Technology Officer of Ledger, a hardware wallet provider, urged cryptocurrency users to take extra precautions when confirming onchain transactions. He highlighted the risks faced by users of software wallets, who are more vulnerable to address swapping. In contrast, users of hardware wallets are better protected because they must physically confirm each transaction. Guillemet also emphasized the need for developers to audit their dependencies and roll back to safe versions of the affected packages to prevent further exposure [4].

The NPM maintainer involved in the breach reported that his account was compromised after receiving a phishing email. By the time he began removing the malicious packages, he had lost access to his account. Some packages, like simple-swizzle, remain compromised as of the latest update. Aikido Security has been actively monitoring the situation and providing live updates on its blog, advising developers to stay vigilant and ensure they are using the most recent safe versions of the affected packages [2].

The incident highlights the vulnerabilities inherent in open-source software ecosystems, where a single compromised package can have cascading effects across the developer community. It also underscores the importance of proactive security measures and rapid response to mitigate potential damage. While the financial impact has been minimal thus far, the technical breach has raised alarms about the broader risks to the JavaScript ecosystem and the need for stronger safeguards in package management systems [1].

Source: [1] Crypto users urged to take extreme care as NPM attack hits ... (https://cointelegraph.com/news/npm-attack-crypto-stealing-malware-into-core-javascript-libraries) [2] npm Packages With 2 Billion Weekly Downloads Hacked in ... (https://hackread.com/npm-packages-2-billion-downloads-hacked-attack/) [3] Largest npm attack in crypto history stole less than $50: SEAL (https://cointelegraph.com/news/large-scale-npm-attack-compromised-less-50-dollars) [4] Ledger CTO Warns Of Crypto Clipper Malware Following ... (https://www.mitrade.com/insights/news/live-news/article-3-1105645-20250909)

author avatar
Coin World

Quickly understand the history and background of various well-known coins

Latest Articles

Stay ahead of the market.

Get curated U.S. market news, insights and key dates delivered to your inbox.

Comments



Add a public comment...
No comments

No comments yet