Hackers compromised the account of an NPM developer, installing malware in JavaScript libraries downloaded more than two billion times.
According to intelligence platform Security Alliance, the cybercriminals behind the NPM (Node Package Manager) attack have managed to steal less than $50 in cryptocurrency so far.
How the attack unfolded
After breaching the NPM account of Josh Goldberg, a well-known open-source maintainer known as “Qix,” the attack specifically targeted Ethereum and Solana wallets, Security Alliance reported. The attackers injected malware into popular JavaScript libraries already downloaded by over a billion users.
Despite the scale of the attack, the proceeds were meager. Security Alliance identified the Ethereum address “0xFc4a48” as the only malicious address used so far in the operation.
Security researcher Samczsun of SEAL commented:
“You compromise the account of a NPM developer whose packages are downloaded more than 2 billion times per week. You could have unfettered access to millions of developer workstations. Untold riches await you. The world is your oyster. You profit less than 50 USD.”
The expert compared the situation to “finding the keycard to Fort Knox and using it as a bookmark”.
Loot details
Initially, the attack yielded just five cents in Ether (ETH), later rising to about $20 in the following hours. Data from Etherscan shows that the malicious address also received several memecoins, including Brett (BRETT), Andy (ANDY), Dork Lord (DORK), Ethervista (VISTA), and Gondola (GONDOLA).
Technical mechanism
The attack affected key packages such as chalk, strip-ansi, and color-convert – small utilities deeply embedded in the dependency trees of countless projects. Even developers who hadn’t installed them directly may have been exposed.
The malware used in the attack appears to be a crypto-clipper, a type of malicious software that replaces wallet addresses during transactions in order to divert funds.
Several wallet providers confirmed they were not compromised. Ledger and MetaMask declared their platforms safe, citing “multiple layers of defense” against such attacks.
Phantom Wallet also confirmed it does not use vulnerable versions of the compromised packages, while Uniswap clarified that none of its applications are at risk. Other platforms and wallets such as Aerodrome, Aqua, BitBox02, Bitcoin Keeper, Blast, Blockstream Jade, Blue Wallet, Bull Bitcoin Wallet, Coldcard, Cove Wallet, Electrum, Foundation Devices, Nunchuk, Revoke.cash, Seedsigner, Sparrow, Specter, Trezor and Wasabi Wallet confirmed they were unaffected.
Post-attack recommendations
DefiLlama’s pseudonymous founder, 0xngmi, specified that only projects updated after the infected NPM package was published could be at risk. However, even in those cases, users would still need to manually approve the malicious transaction for it to have any effect.
“If you use a hardware wallet, pay attention to every transaction before signing and you’re safe,” said Charles Guillemet, CTO of Ledger.
As a precautionary measure, several experts recommend temporarily avoiding the use of crypto websites until developers have fully cleaned up the compromised packages.
