Phishing Attack Breached Billions of Code Downloads to Steal Crypto

Generated by AI AgentCoin World
Tuesday, Sep 9, 2025 3:32 am ET3min read
BCH
--
BTC
--
ETH
--
LTC
--
SOL
--
Aime RobotAime Summary

- A phishing attack compromised 18 widely used JavaScript packages, enabling silent cryptocurrency theft via browser-based transaction manipulation.

- Attackers exploited a spoofed NPM site to steal developer credentials, injecting malware into foundational tools like chalk and debug.

- Malware hijacked browser functions to reroute Ethereum, Solana, and Bitcoin transactions using lookalike addresses, evading user detection.

- Security experts called for phish-proof authentication (e.g., hardware keys) to prevent future compromises of critical open-source infrastructure.

- Hardware wallet providers warned users to verify transactions, emphasizing risks for software wallets during the breach.

A significant supply chain security breach has triggered a high-stakes response from the cryptocurrency and software development communities. At least 18 widely used JavaScript code packages, collectively downloaded over two billion times weekly, were temporarily compromised when a developer fell victim to a phishing attack. The malicious code, injected into the compromised packages, was designed to silently intercept and manipulate cryptocurrency transactions in the browser, redirecting funds to attacker-controlled accounts without user awareness. This incident, described by security experts as potentially the largest supply chain attack in history, underscores the vulnerabilities present in open-source ecosystems and the cascading risks to both developers and end-users.

The breach occurred when a developer, Josh Junon, was deceived by a phishing campaign impersonating the Node Package Manager (NPM) website. The attackers sent a spoofed email to Junon, urging him to update his two-factor authentication (2FA) credentials. The link redirected him to a malicious site hosted at npmjs.help, where his credentials and 2FA token were captured. Using this access, the attackers modified Junon’s NPM account, allowing them to inject malicious code into the packages he maintained. The compromised packages included popular tools such as chalk, debug, and ansi-styles, which are foundational components in the JavaScript development ecosystem.

The malware embedded in these packages operated at multiple layers of the browser and application environment. It hijacked core functions like fetch and XMLHttpRequest, allowing it to intercept both web traffic and wallet interactions. Specifically, it targeted

Ethereum
,
Solana
,
Bitcoin
,
Tron
,
Litecoin
, and
Bitcoin Cash
transactions by silently altering destination addresses and transaction parameters. This manipulation meant that even if the user interface appeared normal, the underlying transactions could be rerouted without the user’s knowledge. The attackers used lookalike addresses—slightly altered versions of legitimate addresses—to make the redirections harder to detect.

Security firm Aikido highlighted the stealthiness of the attack, noting that it operated in real-time and could have been far more destructive. The malicious code did not merely steal cryptocurrency but also intercepted API calls and manipulated what users’ applications believed they were signing. Aikido researcher Charlie Eriksen emphasized the multi-layered threat, stating that such attacks could have easily escalated to broader malware outbreaks. The incident was contained relatively quickly, but the speed of response was crucial in mitigating damage. In a similar incident in August, a different NPM developer was compromised, and the malware in that case was designed to steal authentication tokens and SSH keys, publishing them publicly for all to see.

The breach has prompted urgent calls for stronger authentication mechanisms in open-source software ecosystems. Nicholas Weaver, a researcher at the International Computer Science Institute, noted that NPM should implement phish-proof authentication methods, such as physical security keys, to prevent similar compromises. Current forms of 2FA are vulnerable to phishing attacks if attackers can intercept credentials through deceptive means. Weaver described NPM as a critical infrastructure component and argued that its failure to enforce robust authentication standards is a form of negligence.

Hardware wallet providers, such as Ledger, have also issued warnings to users. Ledger’s Chief Technology Officer, Charles Guillemet, advised users to pause on-chain transactions until the compromised packages are thoroughly cleaned up. He emphasized that users of software wallets are at a higher risk because the malicious code could alter transaction details before they are signed. In contrast, hardware wallets with secure screens and clear signing capabilities can protect users by ensuring transaction details are accurate before finalizing a transfer. Guillemet also stressed the importance of verifying transaction details and using hardware wallets to mitigate the risks posed by the breach.

The incident also raises broader questions about the sustainability and security of open-source software development. Kevin Beaumont, a security expert, noted that the entire software ecosystem is increasingly dependent on a small number of under-resourced maintainers, many of whom manage widely used code without institutional support. This situation creates a single point of failure where a phishing attack can compromise billions of downloads and, by extension, countless applications and websites. Beaumont criticized the reliance on AI-generated code and automated dependency management, warning that these practices amplify the risks when supply chain attacks occur.

Security companies like Aikido are already responding to the incident by developing tools to scan code repositories for malicious content before deployment. These tools aim to ensure that code libraries are verified for safety, reducing the risk of introducing compromised packages into development environments. However, the incident demonstrates that proactive measures are not yet universally adopted, leaving large portions of the ecosystem vulnerable to similar attacks in the future.

Source:

[1] 18 Popular Code Packages Hacked, Rigged to Steal Crypto (https://krebsonsecurity.com/2025/09/18-popular-code-packages-hacked-rigged-to-steal-crypto/)

[2] Oops, No Victims: The Largest Supply Chain Attack Stole 5 ... (https://www.securityalliance.org/news/2025-09-npm-supply-chain)

[3] Largest NPM Compromise in History - Supply Chain Attack (https://www.

reddit
.com/r/programming/comments/1nbqt4d/largest_npm_compromise_in_history_supply_chain/)

[4] Largest supply chain attack in history targets crypto users ... (https://cryptoslate.com/largest-supply-chain-attack-in-history-targets-crypto-users-through-compromised-javascript-packages/)

[5] Ledger CTO Warns of NPM Supply-Chain Attack Hitting ... (https://www.coindesk.com/tech/2025/09/08/ledger-cto-warns-of-npm-supply-chain-attack-hitting-1b-downloads)

[6] Ledger CTO warns users to halt onchain transactions amid ... (https://www.theblock.co/post/369893/ledger-warns-halt-onchain-transactions-massive-npm-supply-chain-attack)

[7] Hackers Exploit JavaScript Accounts in Massive Crypto ... (https://www.financemagnates.com/cryptocurrency/hackers-exploit-javascript-developer-accounts-in-massive-crypto-malware-attack/)

[8] Hackers Exploit Ethereum to Inject Malware in Popular Coding ... (https://finance.yahoo.com/news/hackers-exploit-ethereum-inject-malware-123913424.html)