The node package manager (NPM) account of a prominent software developer was breached by hackers, who then injected malware into widely used JavaScript libraries, aiming at crypto wallets.
A total of $50 worth of crypto was stolen by hackers in a massive supply chain hack that affected JavaScript software libraries, according to industry security researchers.
According to findings shared on Monday by the crypto intelligence platform Security Alliance, hackers broke into a well-known software developer’s node package manager (NPM) account and added malware to popular JavaScript libraries that have already been downloaded over 1 billion times, potentially putting countless crypto projects at risk. Ethereum and Solana wallets were specifically targeted, Security Alliance said.
Fortunately, less than $50 has been stolen from the crypto space so far, according to the security firm, which identified the Ethereum wallet address “0xFc4a48” as what it believes to be the only malicious address so far. It also added on X:
”Picture this: you compromise the account of a NPM developer whose packages are downloaded more than 2 billion times per week. You could have unfettered access to millions of developer workstations. Untold riches await you. The world is your oyster. You profit less than 50 USD.”
“The hacker didn’t fully capitalize on the amount of access they had. It’s like finding the keycard to Fort Knox and using it as a bookmark. The malware was widespread but at this point is nearly completely neutralized,” pseudonymous SEAL security researcher Samczsun.
The $50 figure was, however, raised from five cents a few hours earlier, suggesting the potential damage may still be unfolding.
Small-Scale Crypto Theft: ETH and Memecoins Among Stolen Funds
Five cents were stolen in Ether, while another $20 worth of a memecoin was compromised, according to Security Alliance.
Etherscan data shows that the malicious address has received Brett (BRETT), Andy (ANDY), Dork Lord (DORK), Ethervista (VISTA), and Gondola (GONDOLA) memecoins so far.
Are Crypto Projects that Didn’t Download NPMs Still at Risk?
The breach targeted packages such as chalk, strip-ansi, and color-convert — small utilities buried deep in the dependency trees in countless projects. Even developers who never installed them directly could have been exposed.
NPM is like an app store for developers — a central library where they share and download small code packages to build JavaScript projects.
The attackers appear to have planted a crypto-clipper, a type of malware that silently replaces wallet addresses during transactions to divert funds.
Ledger chief technology officer Charles Guillemet was among many who have urged crypto users to proceed with caution when confirming onchain transactions.
Ledger and MetaMask Among Crypto Apps Unaffected by NPM Attack
Crypto wallet providers Ledger and MetaMask marked their platforms as safe from the NPM attack, pointing to “multiple layers of defense” to protect against such attacks.
The team behind Phantom Wallet said it does not use any vulnerable versions of the affected packages, while Uniswap noted that none of its apps are at risk.
Aerodrome, Blast, Blockstream Jade, and Revoke.cash were among the other crypto platforms that said they were unaffected by the supply chain attack.
“You Won’t Be Instantly Drained,” Crypto Founder Says: A Look at the NPM Attack
Only crypto projects that updated after the malware-infected NPM package was published may be at risk, according to 0xngmi, the pseudonymous founder of crypto analytics platform DefiLlama. Even then, users must approve the malicious transaction for it to work.
Though like Guillemet, he said it may be safer to avoid using crypto websites until developers behind those platforms clean up the bad packages.
