Hackers have compromised widely used JavaScript software libraries in what’s being called the largest supply chain attack in history. The injected malware is reportedly designed to steal crypto by swapping wallet addresses and intercepting transactions.
According to several reports on Monday, hackers broke into the node package manager (NPM) account of a well-known developer and secretly added malware to popular JavaScript libraries used by millions of apps.
The malicious code swaps or hijacks crypto wallet addresses, potentially putting many projects at risk.
“There’s a large-scale supply chain attack in progress: the NPM account of a reputable developer has been compromised,” Ledger Chief Technology Officer Charles Guillemet warned on Monday. “The affected packages have already been downloaded over 1 billion times, meaning the entire JavaScript ecosystem may be at risk.”
The breach targeted packages such as chalk, strip-ansi and color-convert — small utilities buried deep in the dependency trees of countless projects. Together, these libraries are downloaded more than a billion times each week, meaning even developers who never installed them directly could be exposed.
NPM is like an app store for developers — a central library where they share and download small code packages to build JavaScript projects.
Attackers appear to have planted a crypto-clipper, a type of malware that silently replaces wallet addresses during transactions to divert funds.
Security researchers warned that users relying on software wallets may be especially vulnerable, while those confirming every transaction on a hardware wallet are protected.
Phishing emails gave attackers access to NPM maintainer accounts
Attackers sent emails posing as official NPM support, warning maintainers that their accounts would be locked unless they “updated” two-factor authentication by September 10.
The fake site captured login credentials, giving hackers control over a maintainer’s account. Once inside, the attackers pushed malicious updates to packages with billions of weekly downloads.
Charlie Eriksen, a researcher at Aikido Security, told BleepingComputer the attack was especially dangerous because it operated “at multiple layers: altering content shown on websites, tampering with API calls, and manipulating what users’ apps believe they are signing.”
This is a developing story, and further information will be added as it becomes available.
Magazine: Inside a 30,000 phone bot farm stealing crypto airdrops from real users
