NPM Attack: Crypto-Stealing Malware Injected into Libraries

NPM Supply Chain Attack Compromises JavaScript Libraries

A widespread attack on the Node Package Manager (NPM) has resulted in the injection of crypto-stealing malware into core JavaScript libraries. This incident, dubbed the largest supply chain attack in history, targets cryptocurrency wallets by manipulating addresses and intercepting transactions.

Hackers gained access to the NPM account of a reputable developer and secretly added malicious code to popular JavaScript libraries, impacting millions of applications.

How the Attack Works

The injected malware functions as a crypto-clipper, silently replacing recipient wallet addresses during transactions to redirect funds to the attackers.

“There’s a large-scale supply chain attack in progress: the NPM account of a reputable developer has been compromised,” Ledger CTO Charles Guillemet warned. “The affected packages have already been downloaded over 1 billion times, meaning the entire JavaScript ecosystem may be at risk.”

Vulnerable packages include chalk, strip-ansi, and color-convert, which are deeply embedded in the dependency trees of numerous projects. These libraries collectively see over a billion downloads weekly, exposing even developers who haven't directly installed them.

Attack Vector: Phishing

Attackers targeted NPM maintainer accounts through phishing emails disguised as official NPM support. These emails warned maintainers of impending account locks unless they updated their two-factor authentication via a fraudulent site.

This allowed the attackers to capture login credentials, gain control over maintainer accounts, and push malicious updates to widely used packages.

Charlie Eriksen, a researcher at Aikido Security, highlighted the severity of the attack: “altering content shown on websites, tampering with API calls, and manipulating what users’ apps believe they are signing.”

Impact and Mitigation

• Users of software wallets are particularly vulnerable.
• Hardware wallet users who verify every transaction are better protected.

This event underscores the importance of robust security practices and supply chain risk management in software development. For blockchain projects looking to bolster their security posture, consider Codeum's smart contract audit services to identify and mitigate potential vulnerabilities.