Hackers launched the largest NPM crypto attack in history and compromised 18 JavaScript packages with billions of downloads. However, they stole less than $50.
The largest NPM crypto attack in history has been confirmed this week. However, despite how large it was, its outcome was surprisingly small.
Despite affecting widely used JavaScript libraries downloaded billions of times, hackers were able to steal less than $50 worth of crypto.
How Hackers Pulled Off the NPM Crypto Attack
Hackers gained access to the Node Package Manager (NPM) account of a well-known developer, Josh Junon, also known as “qix.” They used a phishing email that impersonated an official npmjs.com support address. The email urged Junon and other maintainers to update their two-factor authentication and threatened to lock accounts if they failed to comply.
https://t.co/hB5oV2Ba7o
— Security Alliance (@_SEAL_Org) September 8, 2025
Once Junon’s account was compromised, attackers injected malware into 18 of his NPM packages. These included widely used libraries like chalk, strip-ansi, and debug, which, when combined, see more than 2.6 billion downloads every week.
The malware worked as a crypto-clipper.
It simply monitored Ethereum, Bitcoin, Solana, Tron, Litecoin and Bitcoin Cash wallet addresses. When a transaction was initiated, it simply replaced the destination address with an attacker-controlled address.
Damage Limited to Less Than $50
According to blockchain security firm Security Alliance, the financial effect was minimal. The hacker(s)’ Ethereum address, identified as “0xFc4a48”, has received less than $50 in assets.
Initial reports showed only five cents stolen in Ether. Later, around $20 worth of a memecoin was added.
The wallet also received small amounts of tokens like Brett, Andy, Dork Lord, Ethervista and Gondola. This indicates that the attacker either failed to spread the malware widely enough or users quickly identified and blocked any suspicious transactions.
Why the NPM Crypto Attack Matters
Even though losses were small, the event further pointed out the risks of supply chain attacks.
Developers who never directly installed the compromised packages may still have been exposed, because the libraries sit deep in dependency trees used by countless projects.
Ledger’s chief technology officer, Charles Guillemet, urged developers to be cautious and urged everyone to double-check wallet addresses during transactions. Crypto apps like Phantom Wallet and Uniswap also confirmed that they were not affected, while Ledger and MetaMask reassured users of their defenses.
As a MetaMask user, you do not need to be scared of the supply chain attack that took place earlier today.
MetaMask has multiple layers of defense to protect our products and users:
– Basic Security: We lock our versions, don’t push directly to main, have manual and automated…
— MetaMask.eth 🦊 (@MetaMask) September 8, 2025
DefiLlama founder 0xngmi noted that only projects updated after the hacker’s exploit was released could be at risk.
How the Malware Worked
According to Aikido Security, the injected code hooked into JavaScript functions like fetch, XMLHttpRequest, and wallet APIs like window Ethereum and Solana connectors.
It intercepted crypto activity in the browser and manipulated wallet interactions, while rewriting the payment destinations.
This made the attack dangerous because it worked across multiple layers. It changed content displayed to users and tampered with API calls.
Still, the malware only affected users who installed the updated packages during the brief compromise window. This limited its reach compared to other large-scale hacks.
Lessons From the Largest NPM Crypto Attack
The incident further calls for the need for stronger security practices among developers. Two-factor authentication is important, but phishing emails that impersonate trusted services will always be effective.
For crypto users, the advice is simple. Always verify wallet addresses before sending funds. Use wallets with built-in security layers like MetaMask and Ledger, which can block known malicious scripts.
Security firms also recommend that developers pin dependency versions in their projects and use automated scanning tools to detect any unexpected changes in libraries.