Hackers have hijacked 18 extremely popular npm packages, downloaded more than 2 billion times every week, injecting them with sophisticated malware that targets cryptocurrency users and developers.
Early on September 8th, a security feed flagged the sudden update of 18 npm packages—including favorites like chalk, debug, chalk-template, and supports-color—with malicious code, as per a report by Aikio.
These packages are used by millions of apps and are the backbone for development tools, logging, color output, and text processing.
The attack has wide-reaching consequences given their enormous distribution, with some—like “debug” and “chalk”—each seeing hundreds of millions of weekly downloads.
Mass npm Package Hijack Discovered
The attackers injected malware that hooks critical browser APIs such as fetch, XMLHttpRequest, and wallet interfaces like window.ethereum and Solana.
The code stealthily scans traffic and web content for cryptocurrency wallet addresses and payment requests.
When a user interacts with their wallet—whether Ethereum, Bitcoin, Solana, Tron, Litecoin, or Bitcoin Cash—the malware silently swaps out the legitimate destination for an attacker-controlled wallet address that looks similar, rerouting digital assets without any visible UI change.
The malware also hijacks transaction signing by altering parameters mid-flight, ensuring that any transfer, approval, or allowance is actually sent to the attacker, even if the user interface appears normal.
Its main strategy relies on obfuscated code and lookalike addresses that make detection extremely difficult.
The initial infection vector was traced to a carefully crafted phishing email sent from a domain made to look like official npm support, tricking the maintainer into handing over credentials.
Once compromised, the attackers began updating packages and later targeted additional maintainers of other highly used projects.
Responsive developers rushed to clean up compromised packages, but some—such as simple-swizzle—remained infected even hours after the breach.
This incident demonstrates the supply chain risks posed by popular open-source projects. Users are urged to validate dependencies, avoid using compromised versions, and check for signs of tampering—especially if handling cryptocurrency.
Projects like Aikido recommend automated safe-chain tools to detect and block package-level threats before they reach production apps.
| Package Name | Weekly Downloads | Status |
| chalk | 299.99m | Compromised |
| debug | 357.6m | Compromised |
| ansi-styles | 371.41m | Compromised |
| strip-ansi | 261.17m | Compromised |
| chalk-template | 3.9m | Compromised |
This npm incident highlights how attacker-controlled updates to popular packages can endanger a vast segment of the software supply chain and cryptocurrency users worldwide.
Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant Updates.
Source link
