Massive NPM Supply Chain Attack Injects Crypto-Stealing Malware into Core JavaScript Libraries

Widespread NPM Supply Chain Attack Targets Core JavaScript Libraries

Security researchers have uncovered what is being described as the largest supply chain attack in history, involving the injection of crypto-stealing malware into core JavaScript libraries distributed via the Node Package Manager (NPM).

On Monday, multiple reports revealed that hackers compromised the NPM account of a reputable developer, surreptitiously inserting malicious code into popular JavaScript packages such as chalk, strip-ansi, and color-convert. These libraries, although small utilities, are deeply embedded in the dependency trees of millions of applications and collectively see over a billion downloads weekly.

Malware Designed to Hijack Crypto Wallet Transactions

The injected malware operates as a crypto-clipper, a type of malicious software that intercepts and replaces cryptocurrency wallet addresses during transactions. This allows attackers to divert funds by swapping out recipients’ addresses without users’ knowledge.

Ledger’s Chief Technology Officer, Charles Guillemet, highlighted the scale of the threat, noting the vast reach across the JavaScript ecosystem due to the ubiquity of these packages.

Security experts warn that users relying solely on software wallets are particularly vulnerable, as the malware can alter transaction details at the software level. Conversely, hardware wallets, which require manual confirmation of transaction details, provide a layer of protection against such attacks.

Phishing Enabled Attackers to Gain Maintainer Access

Investigations indicate that attackers gained access to NPM maintainer accounts through a sophisticated phishing campaign. Developers received emails impersonating official NPM communications, instructing them to update two-factor authentication by a certain deadline. These fake sites captured login credentials, granting attackers control over maintainer accounts.

Once inside, the hackers pushed malicious updates to the targeted packages, compromising millions of users downstream.

Charlie Eriksen, a security researcher at Aikido Security, emphasized the attack’s complexity, stating it manipulated multiple layers including website content, API calls, and application-level signing processes.

Users and Developers Urged to Exercise Caution

Oxngmi, founder of DefiLlama, clarified that the malware does not automatically drain wallets; users must still approve transactions. However, the malware can alter transaction details at the moment of approval, effectively redirecting funds to attackers.

He advised that only projects updating dependencies after the malicious packages were published are at risk, as many developers pin their dependencies to specific versions to avoid such issues.

Given the difficulty in identifying affected platforms, users are strongly recommended to refrain from executing crypto transactions on websites until the compromised packages are fully remediated.