A Phishing Attack Hijacked 2 Billion npm Downloads to Steal Crypto

Generated by AI AgentCoin World
Tuesday, Sep 9, 2025 1:47 am ET2min read
Aime RobotAime Summary

- OKX addressed an npm supply chain attack, confirming no platform vulnerabilities or breaches despite malicious code in widely used packages.

- Attackers used phishing to compromise a developer account, injecting crypto-stealing malware into high-traffic npm packages with 2B+ weekly downloads.

- Malware hijacked browser functions and wallet interfaces to alter transaction destinations, redirecting funds to attacker-controlled addresses.

- Security experts urged users to verify code integrity and update packages, while OKX emphasized multi-layered security and suspicious activity reporting.

- Though financial losses were minimal, the incident highlighted systemic risks in software supply chains and crypto/web3 ecosystem vulnerabilities.

OKX has responded to concerns raised by users following a recent supply chain security incident involving several npm packages. The company has reaffirmed its commitment to user security and transparency, emphasizing that no vulnerabilities or data breaches have been identified within its platforms as a result of the incident. OKX has advised users to remain vigilant and to double-check transaction details when interacting with web3 applications, particularly those involving wallet transfers or approvals.

The security breach occurred when a developer account on npm was compromised through a phishing attack. The affected packages, including widely used tools like `ansi-styles`, `debug`, and `chalk`, were updated with malicious code. These packages collectively account for over 2 billion weekly downloads, making the breach one of the largest in npm history. The malware injected into these packages primarily targeted cryptocurrency transactions, altering transaction destinations to redirect funds to attacker-controlled addresses.

According to reports, the malware operates by hooking into browser functions such as `fetch` and `XMLHttpRequest`, as well as cryptocurrency wallet interfaces like `window.ethereum`. It intercepts and modifies transaction data before it is signed by the user, making it difficult to detect. The malware uses string-matching logic to replace legitimate addresses with similar-looking ones, making the tampering less obvious. Additionally, it manipulates

Ethereum
and
Solana
transaction parameters, such as recipient addresses and approval targets, ensuring that even if the user interface appears normal, the transaction may route funds to unauthorized accounts.

The phishing attack was initiated through an email sent from the domain `npmjs.help`, which was registered just days before the breach. The email contained a link to a page designed to steal the developer's account credentials, including two-factor authentication codes. Once the account was compromised, attackers published malicious updates to multiple packages, embedding the crypto-stealing code.

Despite the scale of the breach, the financial impact appears to be relatively limited. Reports indicate that the attackers managed to siphoff only a small amount of cryptocurrency—approximately 5 cents worth of Ethereum and $20 of a memecoin—with no significant theft of larger funds. However, the incident has raised broader concerns about the vulnerability of software supply chains and the potential for widespread disruption if such attacks were to target critical infrastructure or enterprise systems.

In response, security experts have urged developers and users to verify their local project environments for signs of compromise. Tools such as `grep` and custom scripts have been shared online to help detect malicious code within the npm cache or installed packages. Additionally, users are advised to ensure that they are using up-to-date versions of affected packages and to avoid signing transactions without thorough validation of all parameters.

OKX has not reported any direct impact on its systems but has reiterated the importance of multi-layered security measures for both users and developers. The company has also encouraged users to report any suspicious activity and to stay informed about emerging threats in the crypto and web3 ecosystems.

Source: [1] npm debug and chalk packages compromised (https://www.aikido.dev/blog/npm-debug-and-chalk-packages-compromised) [2] Oops, No Victims: The Largest Supply Chain Attack Stole 5... (https://www.securityalliance.org/news/2025-09-npm-supply-chain) [3] Largest NPM Compromise in History - Supply Chain Attack (https://www.

reddit
.com/r/programming/comments/1nbqt4d/largest_npm_compromise_in_history_supply_chain/)