Massive Supply Chain Attack Hits Crypto Ecosystem via NPM

A massive supply chain attack just hit the JavaScript ecosystem.

18 core NPM packages were hacked, including chalk, strip ansi and debug.

These libraries have over 2 billion weekly downloads.

Here’s what happened, how it affects crypto and how to stay safe 🧵

On September 8th, the NPM account of developer Qix- was hacked through a phishing email:

support@npmjshelp

Attackers pushed malicious updates to 18 widely used packages, including:

chalk
strip-ansi
color-convert
debug
error-ex
ansi-styles

The phishing domain was registered just three days before the attack.

Once they got access, they moved fast, malicious versions were live within hours.

These libraries are foundational.

They sit deep inside most web apps, which is why the impact is so dangerous.

The malware is a crypto clipper built to steal funds.

It works in two ways:

• Passive address swap: silently replaces wallet addresses inside dApps.

• Active hijack: intercepts live transactions before signing and swaps the destination address.

This makes it almost invisible.

The malware uses the Levenshtein algorithm to replace your wallet address with one that looks visually similar.

You think you are sending to your own wallet.

But you’re sending to theirs.

The attacker’s main Ethereum wallet:
0xFc4a4858bafef54D1b1d7697bfb5c52F4c166976

Backup wallets found:

0xa29eEfB3f21Dc8FA8bce065Db4f4354AA683c024
0x40C351B989113646bc4e9Dfe66AE66D24fE6Da7B
0x30F895a2C66030795131FB66CBaD6a1f91461731

So far, no funds have been moved

How this started:

Developers first noticed strange build errors like fetch is not defined.

When they inspected the code, they found heavy obfuscation hiding functions like checkethereumw

A clear sign this was targeting crypto.

If you build or use apps connected to crypto:

• Use a hardware wallet and carefully check addresses before signing
• Pin exact package versions in package.json
• Run npm ci instead of npm install
• Rotate your GitHub and NPM keys now

This time, the community caught it fast.

But the fact that 2 billion weekly downloads were compromised shows how fragile our systems are.

For more information please check this post:
https://x.com/P3b7_/status/1965094840959410230