"Malware Hijacks 2 Billion npm Downloads to Steal Crypto in Real Time"

Generated by AI AgentCoin World
Monday, Sep 8, 2025 7:52 pm ET2min read
Aime RobotAime Summary

- Ledger CTO warns crypto users to pause onchain transactions after a major npm supply chain attack compromised 2.6B-weekly-download packages like `chalk` and `debug` with real-time transaction-stealing malware.

- Phishing emails from a newly registered `npmjs.help` domain enabled attackers to inject cryptostealing code into browser functions, hijacking wallet APIs and replacing addresses to redirect funds covertly.

- Security firms confirmed the malware remained active in browsers even after UI verification, highlighting multi-layered attack sophistication and renewed risks for crypto/web3 developers reliant on npm packages.

- Rapid removal of compromised packages and industry collaboration minimized damage, but the incident underscores critical vulnerabilities in open-source ecosystems and the need for enhanced security protocols.

Ledger CTO Pascal Gauthier has issued a warning to cryptocurrency users to suspend onchain transactions following a significant supply chain attack that has compromised a number of widely used npm packages. The breach, attributed to a phishing campaign, has infected packages with malicious code capable of intercepting and altering crypto transactions in real time. The compromised packages include popular tools such as `chalk`, `debug`, and `ansi-styles`, which together account for over 2 billion weekly downloads. The malware has been identified as a browser-based cryptostealer that manipulates wallet interactions and transaction parameters without the user's knowledge, redirecting funds to attacker-controlled addresses. According to the maintainer of the affected packages, the compromise originated from a phishing email sent from the domain `npmjs.help`, which was registered just three days prior to the attack. The maintainer confirmed the breach on social media and began cleaning up the affected packages, although some, like `simple-swizzle`, remained compromised at the time of reporting. The malware's method of operation involves injecting itself into core browser functions, such as `fetch` and `XMLHttpRequest`, and hijacking wallet APIs to monitor and manipulate transaction data. It uses string-matching techniques to replace legitimate wallet addresses with lookalike addresses, making the theft less conspicuous to users. The attack has sparked renewed concerns about the security of software supply chains, particularly in the crypto and web3 development communities. Security firm Aikido reported that the malware remained active in the browser, intercepting transactions before they were signed, even if the UI appeared to display the correct address. This highlights the sophistication of the attack, which operates at multiple layers, including the manipulation of API calls and user interfaces. The maintainer noted that the phishing email was part of a broader effort to compromise individual accounts, and the attackers are believed to have used similar tactics to target other maintainers. A second package, `proto-tinker-wc@0.1.87`, was also found compromised, further indicating that this was not an isolated incident but part of a coordinated effort to exploit vulnerabilities in the npm ecosystem. The compromised packages were quickly identified and removed from the npm registry, but the incident underscores the potential impact of even small-scale compromises. The affected packages had a combined weekly download count of 2.6 billion, and had the attack not been discovered so rapidly, the consequences could have been far more severe. The attack has been described as a "cryptostealer" by security researchers, who emphasized the importance of verifying transaction details and using secure development practices, such as `npm ci` in build pipelines, to mitigate the risk of such attacks. The Ledger CTO's warning comes amid a broader rise in phishing and malware attacks targeting the crypto industry. Recent reports have highlighted how threat actors are increasingly using sophisticated tactics, including fake job offers and impersonation of trusted platforms like Ledger, to steal private keys and redirect funds. In one case, a user lost approximately $13 million after falling victim to a phishing scam involving a malicious ZoomZM-- client that allowed attackers to gain unauthorized access to their system. The attack led to the victim approving fraudulent transactions that transferred control of their assets to the attackers. The recent npm compromise serves as a stark reminder of the vulnerabilities that exist in the software supply chain and the need for developers and users to remain vigilant. With the growing popularity of decentralized finance (DeFi) and blockchain-based applications, the attack surface for such threats is expanding, making it essential for the industry to adopt more robust security measures. The incident also highlights the importance of continuous monitoring and rapid response mechanisms within the open-source community. The quick action taken by security firms and the npm community helped minimize the damage, but the potential for future attacks remains a concern. As the crypto industry continues to evolve, the need for enhanced security protocols, user education, and collaboration between developers and security experts will become increasingly critical in safeguarding digital assets from malicious actors.

Source:

[1] Largest NPM Compromise in History - Supply Chain Attack (https://www.redditRDDT--.com/r/programming/comments/1nbqt4d/largest_npm_compromise_in_history_supply_chain/)

[2] npm debug and chalk packages compromised (https://www.aikido.dev/blog/npm-debug-and-chalk-packages-compromised)

[3] Security Alert | chalk, debug and color on npm ... (https://semgrep.dev/blog/2025/chalk-debug-and-color-on-npm-compromised-in-new-supply-chain-attack)

author avatar
Coin World

Conoce rápidamente la historia y el contexto de varias monedas muy conocidas

Latest Articles

Stay ahead of the market.

Get curated U.S. market news, insights and key dates delivered to your inbox.

Comments



Add a public comment...
No comments

No comments yet