The NPM supply chain attack injected a crypto-clipper into widely used JavaScript libraries (chalk, strip-ansi, color-convert), aiming to replace wallet addresses and divert funds. Security researchers say the breach targeted Ethereum and Solana wallets and so far has netted under $50.
Supply chain breach of NPM packages introduced a crypto-clipper
Attack targeted Ethereum and Solana wallets via address-replacing malware in dependencies
Malicious address identified as 0xFc4a48; researchers report under $50 stolen so far
NPM supply chain attack injected a crypto-clipper into JavaScript libraries; learn how to check wallets and protect funds — read the full breakdown and steps to stay secure.
‘,
‘
🚀 Advanced Trading Tools Await You!
Maximize your potential. Join now and start trading!
‘,
‘
📈 Professional Trading Platform
Leverage advanced tools and a wide range of coins to boost your investments. Sign up now!
‘
];
var adplace = document.getElementById(“ads-bitget”);
if (adplace) {
var sessperindex = parseInt(sessionStorage.getItem(“adsindexBitget”));
var adsindex = isNaN(sessperindex) ? Math.floor(Math.random() * adscodesBitget.length) : sessperindex;
adplace.innerHTML = adscodesBitget[adsindex];
sessperindex = adsindex === adscodesBitget.length – 1 ? 0 : adsindex + 1;
sessionStorage.setItem(“adsindexBitget”, sessperindex);
}
})();
What was the NPM supply chain attack that targeted crypto wallets?
The NPM supply chain attack was a compromise of a developer’s NPM account that allowed attackers to inject a crypto-clipper into popular JavaScript libraries. The malware silently replaces wallet addresses during transactions, targeting Ethereum and Solana users; researchers report less than $50 stolen so far.
How did attackers distribute the crypto-clipper through JavaScript libraries?
Attackers gained access to a widely used NPM developer account and modified packages buried deep in dependency trees. The compromised packages include chalk, strip-ansi, and color-convert, each downloaded hundreds of millions to billions of times, thereby exposing countless projects and developer workstations.
Which wallets and addresses were affected and what was stolen?
Security Alliance reports the attackers specifically aimed at Ethereum and Solana transactions. Blockchain monitoring shows the suspected malicious address as 0xFc4a48. Initial takings were tiny — 5 US cents in ETH and roughly $20 in memecoins — later aggregated to under $50 at the time of reporting.
| Asset | Reported Amount |
|---|---|
| Ether (ETH) | $0.05 (initially reported) |
| Memecoins (BRETT, ANDY, DORK, VISTA, GONDOLA) | ~$20 |
| Total reported so far | <$50 |
Why are dependency packages like chalk a high-risk vector?
Small utility packages are deeply nested in many projects’ dependency trees. Developers frequently inherit these modules without direct installs, creating a wide blast radius when trusted packages are compromised. The high download counts mean a single compromised maintainer account can affect millions of developer environments.
‘,
‘
🔒 Secure and Fast Transactions
Diversify your investments with a wide range of coins. Join now!
‘,
‘
💎 The Easiest Way to Invest in Crypto
Dont wait to get started. Click now and discover the advantages!
‘
];
var adplace = document.getElementById(“ads-binance”);
if (adplace) {
var sessperindex = parseInt(sessionStorage.getItem(“adsindexBinance”));
var adsindex = isNaN(sessperindex) ? Math.floor(Math.random() * adscodesBinance.length) : sessperindex;
adplace.innerHTML = adscodesBinance[adsindex];
sessperindex = adsindex === adscodesBinance.length – 1 ? 0 : adsindex + 1;
sessionStorage.setItem(“adsindexBinance”, sessperindex);
}
})();
Experts recommend immediate auditing of recent installs and running integrity checks on dependencies. Ledger’s CTO Charles Guillemet urged extra caution when confirming on-chain transactions. Practical steps include verifying wallet addresses manually, using hardware wallets for high-value transfers, and scanning workstations for suspicious processes.
Check package-lock.json or yarn.lock for references to chalk, strip-ansi, or color-convert, review recent package updates, and compare checksums against known clean releases. Use offline verification or reproduce builds in an isolated environment.
Yes. Because the clipper modifies clipboard or transaction data at the system level, any developer workstation or user environment that performs clipboard-based or injected address operations could be at risk, regardless of whether the project is crypto-native.
Hardware wallets significantly reduce risk because they require on-device confirmation of transaction outputs. However, users should still verify receiving addresses on the hardware device’s screen and keep firmware up to date.
‘
];
var adplace = document.getElementById(“ads-htx”);
if (adplace) {
var sessperindex = parseInt(sessionStorage.getItem(“adsindexHtx”));
var adsindex = isNaN(sessperindex) ? Math.floor(Math.random() * adscodesHtx.length) : sessperindex;
adplace.innerHTML = adscodesHtx[adsindex];
sessperindex = adsindex === adscodesHtx.length – 1 ? 0 : adsindex + 1;
sessionStorage.setItem(“adsindexHtx”, sessperindex);
}
})();