Hackers have compromised widely used JavaScript software libraries in what’s being called the largest supply chain attack in history. The injected malware is reportedly designed to steal crypto by swapping wallet addresses and intercepting transactions.
According to several reports on Monday, hackers broke into the node package manager (NPM) account of a well-known developer and secretly added malware to popular JavaScript libraries used by millions of apps.
The malicious code swaps or hijacks crypto wallet addresses, potentially putting many projects at risk.
“There’s a large-scale supply chain attack in progress: the NPM account of a reputable developer has been compromised," Ledger Chief Technology Officer Charles Guillemet warned on Monday. “The affected packages have already been downloaded over 1 billion times, meaning the entire JavaScript ecosystem may be at risk.”
The breach targeted packages such as chalk, strip-ansi and color-convert — small utilities buried deep in the dependency trees of countless projects. Together, these libraries are downloaded more than a billion times each week, meaning even developers who never installed them directly could be exposed.
NPM is like an app store for developers — a central library where they share and download small code packages to build JavaScript projects.
Attackers appear to have planted a crypto-clipper, a type of malware that silently replaces wallet addresses during transactions to divert funds.
Security researchers warned that users relying on software wallets may be especially vulnerable, while those confirming every transaction on a hardware wallet are protected.
Users warned to avoid crypto transactions
According to a X post by DefiLlama founder Oxngmi, the malicious code doesn’t automatically drain wallets — users would still have to approve a bad transaction.
Since the hacked JavaScript package can alter what happens when you click a button, hitting the “swap” button on an affected site could swap out the transaction details and send funds to the hacker instead.
He added that only projects that updated after the compromised package was published are at risk, and many developers “pin” their dependencies so they keep using older, safe versions.
Still, because users can’t easily tell which sites were updated safely, it’s best to avoid using crypto websites until the affected packages are cleaned up.
Phishing emails gave attackers access to NPM maintainer accounts
Attackers sent emails posing as official NPM support, warning maintainers that their accounts would be locked unless they “updated” two-factor authentication by Sept. 10.
The fake site captured login credentials, giving hackers control over a maintainer’s account. Once inside, the attackers pushed malicious updates to packages with billions of weekly downloads.
Charlie Eriksen, a researcher at Aikido Security, told BleepingComputer the attack was especially dangerous because it operated “at multiple layers: altering content shown on websites, tampering with API calls, and manipulating what users’ apps believe they are signing.”
Magazine: Inside a 30,000 phone bot farm stealing crypto airdrops from real users