Hackers have compromised widely used JavaScript software libraries in what’s being called the largest supply chain attack in history. The injected malware is reportedly designed to steal crypto by swapping wallet addresses and intercepting transactions.

According to several reports on Monday, hackers broke into the node package manager (NPM) account of a well-known developer and secretly added malware to popular JavaScript libraries used by millions of apps.

The malicious code swaps or hijacks crypto wallet addresses, potentially putting many projects at risk.

“There’s a large-scale supply chain attack in progress: the NPM account of a reputable developer has been compromised," Ledger Chief Technology Officer Charles Guillemet warned on Monday. “The affected packages have already been downloaded over 1 billion times, meaning the entire JavaScript ecosystem may be at risk.”

JavaScript, Hackers — *Source:* *Minal Thukral*

Swap across Solana and 12+ EVM networks, with 1inch. No bridges required.

The breach targeted packages such as chalk, strip-ansi and color-convert — small utilities buried deep in the dependency trees of countless projects. Together, these libraries are downloaded more than a billion times each week, meaning even developers who never installed them directly could be exposed.

NPM is like an app store for developers — a central library where they share and download small code packages to build JavaScript projects.

Attackers appear to have planted a crypto-clipper, a type of malware that silently replaces wallet addresses during transactions to divert funds.

Security researchers warned that users relying on software wallets may be especially vulnerable, while those confirming every transaction on a hardware wallet are protected.

Phishing emails gave attackers access to NPM maintainer accounts

Attackers sent emails posing as official NPM support, warning maintainers that their accounts would be locked unless they “updated” two-factor authentication by September 10.

The fake site captured login credentials, giving hackers control over a maintainer’s account. Once inside, the attackers pushed malicious updates to packages with billions of weekly downloads.

Charlie Eriksen, a researcher at Aikido Security, told BleepingComputer the attack was especially dangerous because it operated “at multiple layers: altering content shown on websites, tampering with API calls, and manipulating what users’ apps believe they are signing.”

This is a developing story, and further information will be added as it becomes available.

Hackers hijack npm packages with 2 billion weekly downloads in supply chain attack

In what is being called the largest supply chain attack in history, attackers have injected malware into NPM packages with over 2.6 billion weekly downloads after compromising a maintainer's account in a phishing attack.

The package maintainer whose accounts were hijacked in this supply-chain attack confirmed the incident earlier today, stating that he was aware of the compromise and adding that the phishing email came from support [at] npmjs [dot] help, a domain that hosts a website impersonating the legitimate npmjs.com domain.

In the emails, the attackers threatened that the targeted maintainers' accounts would be locked on September 10th, 2025, as a scare tactic to get them to click on the link redirecting them to the phishing sites.

"As part of our ongoing commitment to account security, we are requesting that all users update their Two-Factor Authentication (2FA) credentials. Our records indicate that it has been over 12 months since your last 2FA update," the phishing email reads.

"To maintain the security and integrity of your account, we kindly ask that you complete this update at your earliest convenience. Please note that accounts with outdated 2FA credentials will be temporarily locked starting September 10, 2025, to prevent unauthorized access."

The attackers targeted other package maintainers and developers using the same email, according to reports from those who received the phishing message.

BleepingComputer found that the npmjs[.]help page also includes a login form that will exfiltrate inputted credentials to the following URL:

https://websocket-api2[.]publicvm.com/images/jpg-to-png.php?name=[name]&pass=[password]

Since the incident was detected, the NPM team has removed some of the malicious versions published by the attackers, including the one for the debug package, which is downloaded 357.6 million times per week.

The supply chain attack

According to Aikido Security, which analyzed the supply-chain attack, the threat actors updated the packages after taking over control, injecting malicious code that acts as a browser-based interceptor into the index.js files, capable of hijacking network traffic and application APIs.
The malicious code only impacts individuals accessing the compromised applications over the web, monitoring for cryptocurrency addresses and transactions that are then redirected to attacker-controlled wallet addresses. This causes the transaction to be hijacked by the attackers rather than being sent to the intended address.
The malware operates by injecting itself into the web browser, monitoring Ethereum, Bitcoin, Solana, Tron, Litecoin, and Bitcoin Cash wallet addresses or transfers. On network responses with crypto transactions, it replaces the destinations with attacker-controlled addresses and hijacks transactions before they're signed.
Aikido says the malicious code does this by hooking JavaScript functions like `fetch`, `XMLHttpRequest`, and wallet APIs (window.ethereum, Solana, etc.).
The packages hijacked so far collectively have over 2.6 billion downloads every week:
backslash (0.26m downloads per week)
chalk-template (3.9m downloads per week)
supports-hyperlinks (19.2m downloads per week)
has-ansi (12.1m downloads per week)
simple-swizzle (26.26m downloads per week)
color-string (27.48m downloads per week)
error-ex (47.17m downloads per week)
color-name (191.71m downloads per week)
is-arrayish (73.8m downloads per week)
slice-ansi (59.8m downloads per week)
color-convert (193.5m downloads per week)
wrap-ansi (197.99m downloads per week)
ansi-regex (243.64m downloads per week)
supports-color (287.1m downloads per week)
strip-ansi (261.17m downloads per week)
chalk (299.99m downloads per week)
debug (357.6m downloads per week)
ansi-styles (371.41m downloads per week)
"The packages were updated to contain a piece of code that would be executed on the client of a website, which silently intercepts crypto and web3 activity in the browser, manipulates wallet interactions, and rewrites payment destinations so that funds and approvals are redirected to attacker-controlled accounts without any obvious signs to the user," Aikido Security researcher Charlie Eriksen said.
"What makes it dangerous is that it operates at multiple layers: altering content shown on websites, tampering with API calls, and manipulating what users' apps believe they are signing."
This supply-chain attack follows a series of similar attacks targeting developers of various well-known JavaScript libraries over the past few months.
For instance, in July, attackers compromised eslint-config-prettier, a package with over 30 million weekly downloads, while in March, ten other widely used npm libraries were hijacked and turned into info-stealers.
Both the phishing attack and the injected malware illustrate how the web browser has become a massive attack surface to steal credentials, modify traffic, and breach networks.
BleepingComputer has a webinar later this month titled "Your Browser Is the Breach: Securing the Modern Web Edge" that focuses on recent browser attacks and how to defend this attack surface.

Anonymous info

Search This Blog

Crypto users urged to take extreme care as NPM attack hits core JavaScript libraries

Phishing emails gave attackers access to NPM maintainer accounts

Hackers hijack npm packages with 2 billion weekly downloads in supply chain attack

The supply chain attack

Comments

Post a Comment