Hackers have only managed to steal $50 worth of crypto from a massive supply chain hack affecting JavaScript software libraries, industry security researchers say.
Crypto intelligence platform Security Alliance shared the findings on Monday after hackers broke into the node package manager (NPM) account of a well-known software developer and added malware to popular JavaScript libraries that have already been downloaded over 1 billion times, potentially putting countless crypto projects at risk. Ethereum and Solana wallets were specifically targeted, Security Alliance said.
Fortunately, less than $50 has been stolen from the crypto space so far, the security firm said, identifying Ethereum wallet address “0xFc4a48” as what it believes to be the only malicious address so far. It added on X:
”Picture this: you compromise the account of a NPM developer whose packages are downloaded more than 2 billion times per week. You could have unfettered access to millions of developer workstations. Untold riches await you. The world is your oyster. You profit less than 50 USD.”
The $50 figure was, however, bumped up from five cents a few hours earlier, suggesting the potential damage may still be unfolding.
ETH, memecoin among small amount of crypto stolen
The five cents stolen were in Ether (ETH) while another $20 worth of a memecoin was compromised, Security Alliance said.
Etherscan data shows the malicious address has received Brett (BRETT), Andy (ANDY), Dork Lord (DORK), Ethervista (VISTA), and Gondola (GONDOLA) memecoins so far.
Crypto projects that didn’t download the NPMs still at risk
The breach targeted packages such as chalk, strip-ansi, and color-convert — small utilities buried deep in the dependency trees in countless projects. Even devs who never installed them directly could be exposed.
NPM is like an app store for developers — a central library where they share and download small code packages to build JavaScript projects.
Related: Pokémon cards will soon have their ‘Polymarket moment’ — Bitwise
The attackers appear to have planted a crypto-clipper, a type of malware that silently replaces wallet addresses during transactions to divert funds.
Ledger chief technology officer Charles Guillemet was among many who have urged crypto users to proceed with caution when confirming onchain transactions.
In a separate post, Ledger said its devices weren’t directly affected by the NPM attack.
You won’t be instantly drained, crypto founder says
0xngmi, the pseudonymous founder of crypto analytics platform DeFiLlama, however said only crypto projects that updated after the malware-infected NPM package was published may be at risk, and even then, users must approve the malicious transaction for it to work.
Though like Guillemet, he said it may be safer to avoid using crypto websites until developers behind those platforms clean up the bad packages.
This is a developing story, and further information will be added as it becomes available.
Magazine: ‘Accidental jailbreaks’ and ChatGPT’s links to murder, suicide: AI Eye