TLDR
- 18 popular NPM packages with over 2 billion weekly downloads were compromised through a phishing attack targeting developer “Qix”
- The malware functioned as a “crypto-clipper,” silently replacing wallet addresses during transactions
- Despite the massive scale, only about $497 was stolen thanks to quick detection
- Hardware wallet users remained safe if they verified transaction details on their devices
- Major protocols like Uniswap, Jupiter, and MetaMask have assured users their funds are safe
The cryptocurrency ecosystem faced a major security threat this week when 18 popular NPM JavaScript packages were compromised in a large-scale supply chain attack. The incident, which began on September 8, 2025, potentially put billions of dollars at risk but was quickly detected, limiting the damage.
The attack started with a phishing email impersonating official NPM support. The target was a respected developer known as “Qix-,” whose NPM account was hijacked. This gave attackers access to publish malicious updates to widely-used JavaScript libraries.
Charles Guillemet, Chief Technology Officer at Ledger, was among the first to raise the alarm. “The NPM account of a reputable developer has been compromised. The affected packages have already been downloaded over 1 billion times,” he warned on social media.
There’s a large-scale supply chain attack in progress: the NPM account of a reputable developer has been compromised. The affected packages have already been downloaded over 1 billion times, meaning the entire JavaScript ecosystem may be at risk.
The malicious payload works…
— Charles Guillemet (@P3b7_) September 8, 2025
The compromised packages included essential JavaScript libraries such as ‘chalk’, ‘debug’, ‘ansi-styles’, and ‘strip-ansi’. These are fundamental building blocks used in countless web applications and development tools.
Together, these packages see more than 2 billion weekly downloads. This makes the potential reach of the attack one of the largest in recent history.
How the Crypto Clipper Worked
The malicious code injected into these packages functioned as what security researchers call a “crypto clipper.” This type of malware silently monitors for cryptocurrency wallet addresses and replaces them with addresses controlled by the attacker.
Once installed, the malware would use Levenshtein distance logic to create lookalike addresses. When users copied a wallet address to make a transaction, the malware would replace it with the attacker’s address.
This attack was particularly dangerous because it didn’t require users to make obvious mistakes. Even when following normal security practices, users could unknowingly send funds to attackers.
The malware was designed to target multiple blockchains. It could recognize and replace addresses for Ethereum, Bitcoin, Solana, Tron, Litecoin, and Bitcoin Cash, among others.
Security researchers quickly identified several wallet addresses linked to the attack. Blockchain analyst Rani Haddad categorized these on Arkham Intelligence under an entity labeled “NPM attack.”
Limited Financial Impact
Despite the massive scale of the compromise, the financial impact was surprisingly small. According to available data, the attackers only managed to steal approximately $497 in cryptocurrency.
This limited success can be attributed to several factors. First, the attack was detected within minutes by Aikido Security’s threat feed. Early warning signs included build pipelines suddenly failing with unusual errors.
Within about an hour of the malicious package updates, security researchers had disclosed the incident and warned the community. This quick response significantly limited the window of exposure.
Another factor limiting the damage was the protection offered by hardware wallets. Users of hardware wallets like Ledger or Trezor were protected because these devices require physical confirmation of transaction details.
Hardware Wallet Protection
Ledger’s CTO offered clear guidance during the attack: “If you use a hardware wallet, pay attention to every transaction before signing and you’re safe. If you don’t, refrain from making any on-chain transactions for now.”
Hardware wallets provide an extra layer of security because the malware cannot alter what’s displayed on the physical device screen. When users verify recipient addresses on their hardware wallet, they can spot any attempted address swapping.
This incident highlighted the importance of using hardware wallets for cryptocurrency storage and transactions. No losses were reported from hardware wallet users who carefully verified transaction details.
Many major protocols and wallets quickly responded to reassure users. Uniswap, SUI, Jupiter, Ledger, and MetaMask all issued statements confirming they were taking measures to protect users.
MetaMask noted on social media that users “do not need to be scared,” while Phantom wallet confirmed it was not at risk from the attack.
The attack serves as a reminder of the increasing complexity of security threats in the cryptocurrency space. It demonstrates how vulnerabilities in seemingly unrelated software components can directly threaten financial assets.
For developers, the incident underscores the importance of dependency hygiene and careful package management. For crypto users, it reinforces the value of hardware wallets and transaction verification.
The npm packages have since been secured, with compromised versions removed. However, the incident stands as a stark warning about the fragility of open-source supply chains and their connection to financial security in Web3.
As the cryptocurrency ecosystem continues to grow, both users and developers must remain vigilant against increasingly sophisticated attacks targeting the software supply chain.
The post JavaScript Libraries with 2 Billion Weekly Downloads Targeted in Crypto Theft Attempt appeared first on Blockonomi.