A Phishing Phantasm Breached NPM to Hijack Crypto Transactions
Aime SummaryAt least 18 widely-used JavaScript code packages, collectively downloaded over 2 billion times per week, were briefly compromised with malicious code following a phishing attack on a developer. The breach, which affected the Node Package Manager (NPM), allowed attackers to inject malware into open-source libraries, which were then designed to hijack cryptocurrency transactions in users' browsers. The malicious code was engineered to manipulate digital wallet interactions and redirect funds to attacker-controlled accounts without obvious signs to users [1].
The attack originated from a phishing campaign that lured the developer into providing credentials and two-factor authentication (2FA) tokens via a spoofed NPM website. Upon gaining access, the attackers modified the code to create a browser-based interceptor, which altered both web traffic and API calls. The malware operated across multiple layers, enabling it to change content displayed on websites, manipulate API interactions, and alter what users believed they were signing during transactions [1].
Security researchers from Aikido, a Belgian firm specializing in open-source code monitoring, identified the compromised packages and alerted the affected developer through the Bsky social network. The maintainer, Josh Junon, admitted to falling victim to the phishing attempt and quickly began cleaning up the affected packages. He acknowledged the breach on HackerNews, describing the incident as an “embarrassing” targeted attack [1].
The malicious code primarily targeted EthereumETH-- and SolanaSOL-- wallets but was also capable of intercepting transactions involving BitcoinBTC--, LitecoinLTC--, and other cryptocurrencies. The malware used lookalike addresses and obfuscation techniques to mask the redirection of funds. The attack highlighted the vulnerability of widely-used open-source software, where a single compromised package could affect billions of users. Security Alliance, a crypto intelligence firm, reported that hackers had managed to steal less than $50 from the affected wallets, with the malicious activity limited to a few small-value transactions [4].
Industry experts have raised concerns about the broader implications of the incident, emphasizing the need for stronger identity verification and phish-proof authentication methods for critical infrastructure like NPM. Philippe Caturegli of Seralys noted that the attackers could have caused far more damage had they chosen to deploy a backdoor or other destructive payload. The use of a domain spoofing technique—npmjs.help—demonstrated the sophistication of the attack, which was not a random phishing attempt but a calculated effort to exploit developer trust [1].
Ledger’s Chief Technology Officer, Charles Guillemet, urged cryptocurrency users to exercise caution when confirming on-chain transactions, emphasizing that hardware wallets offer better protection against such attacks. The malicious code required user confirmation to execute a transaction, serving as a final line of defense. Security experts recommended that developers adopt stronger 2FA methods, such as physical security keys, and implement robust security scanners to detect malicious code in open-source dependencies [3].
The incident has reignited discussions about software supply chain security, with calls for more rigorous attestation processes for widely-used code packages. Nicholas Weaver of the International Computer Science Institute pointed out that NPM’s lack of phish-proof authentication for contributor accounts could be considered negligent given the platform’s critical role in modern software development. As organizations increasingly rely on AI-driven coding tools that automatically integrate hundreds of dependencies, the risk of similar supply chain compromises remains high [1].
Aikido has introduced a new product aimed at helping development teams verify the safety of code libraries before use. Meanwhile, Security Alliance noted that the attackers could have caused significantly more damage had the compromised code been deployed in a more persistent and destructive form. The relatively small financial loss reported thus far suggests that the attack was narrowly focused on cryptocurrency theft, underscoring the potential for much greater harm in the event of a more sophisticated payload [4].
The event also highlights the challenges faced by open-source maintainers, many of whom manage widely-used projects with limited resources. Kevin Beaumont, a security researcher, remarked that the global software ecosystem often depends on a small number of under-resourced individuals, making it vulnerable to targeted attacks. As the software industry continues to rely on open-source components, the need for stronger governance, continuous monitoring, and identity protection becomes increasingly urgent [1].
Source:
[1] 18 Popular Code Packages Hacked, Rigged to Steal Crypto (https://krebsonsecurity.com/2025/09/18-popular-code-packages-hacked-rigged-to-steal-crypto/)
[2] Eighteen packages in NPM open code repository (https://solomonh.substack.com/p/eighteen-packages-in-npm-open-code)
[3] Largest NPM attack in crypto history stole less than $50 (https://cointelegraph.com/news/large-scale-npm-attack-compromised-less-50-dollars)
[4] Hackers Target JavaScript Ecosystem to Hijack Crypto (https://forklog.com/en/hackers-target-javascript-ecosystem-to-hijack-crypto-wallets/)
Stay ahead of the market.
Get curated U.S. market news, insights and key dates delivered to your inbox.
Comments
No comments yet