Hidden Code in Billion-Downloaded Tool Steals Crypto in Plain Sight
Aime SummaryA critical software vulnerability has been identified that could expose cryptocurrency funds to theft, according to Charles Guillemet, Chief Technology Officer at Ledger. The breach involved the compromise of an npm account belonging to a well-known developer, enabling attackers to inject malicious code into the widely used JavaScript package "error-ex" [1]. This package has been downloaded over one billion times and is embedded in numerous applications and services, raising concerns about widespread exposure [1].
The malicious code operates by silently altering transaction details. When users attempt to send cryptocurrencies like BitcoinBTC--, EthereumETH--, or SolanaSOL--, the destination wallet address is replaced with one controlled by the attackers. Victims may believe they are sending funds to a trusted address, but the transactions are redirected to malicious actors instead [1]. Security analysts have noted that the malware can manipulate transactions at multiple levels, including altering website displays, changing background processes, and tricking apps into misrepresenting user actions [1].
Guillemet advised hardware wallet users to carefully verify each transaction on their device's screen before approving it. Because the device displays the true recipient address, users can detect unauthorized changes. For those relying solely on software wallets, he cautioned against executing on-chain transactions until the threat is better understood [1]. Security experts have described this incident as potentially the largest open-source supply chain attack in history, underscoring the vulnerabilities in shared software libraries and the direct financial risks they pose to the crypto ecosystem [1].
A separate report by ReversingLabs revealed that attackers embedded command-and-control (C2) instructions in two NPM packages, allowing the malware to avoid detection by not hard-coding malicious URLs within the packages themselves [2]. The attack exploited the default package manager for Node.js, a tool used by developers to install, manage, and share reusable JavaScript code [2]. Charles Guillemet reiterated the importance of vigilance during transactions and warned the crypto community of the growing sophistication of these attacks [2].
The malware has also been found in core JavaScript libraries such as chalk, strip-ansi, and color-convert—small utilities used by millions of applications and downloaded billions of times each week [3]. These libraries are deeply embedded in software dependency trees, meaning even developers who did not directly install the packages could be affected [3]. The attack highlights the risks associated with the widespread use of open-source software and the potential for hidden threats to propagate through seemingly benign code [3].
As the situation continues to evolve, experts emphasize that users must remain cautious and take proactive steps to protect their digital assets. For now, the full extent of the breach and the potential for seed phrase theft remains unclear. Continued monitoring and updates from the affected parties are expected as more details emerge.
Source:
[1] Critical hack may put crypto funds at risk: Ledger CTO (https://blockworks.co/news/critical-hack-may-put-crypto-funds-at-risk-ledger-cto)
[2] Ledger CTO warns of shocking NPM attacks by crypto hackers (https://www.thestreet.com/crypto/markets/ledger-cto-warns-of-shocking-npm-attacks-by-crypto-hackers)
[3] NPM Attack Injects Crypto-Stealing Malware Into Core JavaScript Libraries (https://cointelegraph.com/news/npm-attack-crypto-stealing-malware-into-core-javascript-libraries)
Stay ahead of the market.
Get curated U.S. market news, insights and key dates delivered to your inbox.
Comments
No comments yet