Key Takeaways:
- Hackers compromised the NPM account of a top developer, targeting packages with over 1 billion downloads.
- The injected code attempted to hijack crypto transactions across Ethereum, Solana, Bitcoin, and other blockchains.
- Coding errors caused early crashes in build pipelines, limiting losses to about $505, according to Arkham data.
A major supply-chain attack on the Node Package Manager (NPM) ecosystem shook the crypto industry this week. Despite targeting some of the most widely used JavaScript libraries, the exploit ultimately failed, with Ledger’s CTO Charles Guillemet confirming “almost no victims.”
Read More: MEXC Warns Users of SMS Phishing Scams Falsely Claiming to Be from the Platform
A Billion-Download Threat That Nearly Slipped Through
The incident began when attackers launched a phishing campaign using a fake NPM support domain. By tricking developers into surrendering credentials, the hackers gained control of the NPM account of “qix,” a popular open-source contributor.
Using this access, they had maliciously updated libraries like chalk (300M weekly downloads), strip-ansi (261M), and color-convert (193M) utility buried deep in dependency trees in thousands of web and crypto projects.
The payload injected served to create a crypto-clipper which would replace real addresses of wallets with attacker-owned ones on the fly. It used the Levenshtein distance algorithm to substitute addresses with the perfectly similar lookalikes, as a result, it is almost impossible for the user to notice fraudulent transactions.
How the Attack Worked
Two-Pronged Exploit Design
The malware used a dual approach to maximize its chances of stealing funds:
- Passive Address Swapping
- Intercepted web requests through patched fetch and XMLHttpRequest.
- Targeted addresses on Ethereum, Bitcoin, Solana, Tron, Litecoin, and Bitcoin Cash.
- Replaced recipient addresses with visually similar attacker-controlled ones.
- Active Transaction Hijacking
- Detected wallet extensions like MetaMask.
- Intercepted transactions before signing, swapping the intended address with the attacker’s.
- Relied on users failing to double-check wallet confirmation screens.
Security experts warned that the strategy could have siphoned millions, had it not been for a critical bug. The injected code caused CI/CD pipelines to crash, revealing the attack much earlier than expected.
Minimal Financial Damage, Major Industry Warning
Blockchain analytics firm Arkham reported that attackers netted just $505 worth of crypto across a few addresses tied to the exploit. Ledger’s Charles Guillemet stressed that the outcome was “lucky,” given that the compromised packages had over a billion total downloads.
Well-known Web3 platforms, including Uniswap, Aave, MetaMask, and Lido, confirmed they were unaffected. Still, the scale of the attempted breach has renewed focus on the vulnerabilities of open-source supply chains.
The CTO of The Open Network (TON), Anatoly Makosov, explained that the number of compromised package versions was only 18 and older and newer versions are unaffected. He encouraged developers that use auto-updating libraries to as soon as possible audit dependencies and pin safe versions.
⚠️ Attack on popular NPM packages — technical details
A few hours ago, hackers gained access to some NPM accounts and published infected versions of popular libraries.
Many web products use these packages.
Although TON products do not appear to be at risk, developers of…
— Anatoly Makosov (@anatoly_makosov) September 8, 2025
Read More: Pi Network Flags Scam Wallet Amid $346M Token Risks as 60M Users Await Unlock
Hardware Wallets vs. Software Wallets: Lessons Reinforced
The accident highlighted the danger to those users who only use software wallets or exchanges. As Guillemet put it:
“If your funds sit in a software wallet or on an exchange, you’re one code execution away from losing everything.”
Ledger and other hardware wallet providers highlighted features such as Clear Signing and Transaction Checks, which allow users to independently verify the true recipient address before finalizing any transaction.
Unlike hot wallets, hardware devices isolate private keys, making them resistant to this type of supply-chain compromise. Ledger confirmed its own products were never at risk during the attack.