What happened: A phishing message compromised a high‑profile npm maintainer known as qix, enabling attackers to republish popular packages (including chalk and debug‑js) with malicious code designed to intercept cryptocurrency activity in the browser.
The injected code checked for window.ethereum and hooked Ethereum transaction functions so calls like approve, transfer and transferFrom were redirected to a single attacker wallet. For Solana transfers the payload broke recipients by overwriting addresses with an invalid string. The malware also hijacked fetch and XMLHttpRequest to scan JSON responses and swap wallet addresses with one of 280 hardcoded, look‑alike alternatives.
Scope and impact: The compromised packages are widely used and see billions of downloads, making this a significant supply‑chain incident. On‑chain records show the attacker received only a few cents in ether and about $20 in a low‑liquidity memecoin, so financial theft appears minimal. Still, the attack’s reach — altering developer dependencies — creates long‑term risk for projects and users that pulled the affected releases.
Why readers should care: npm is a core distribution channel for JavaScript; when a trusted maintainer is taken over, malicious code can propagate to countless projects and end users. Even low direct theft can cause major costs: incident response, dependency audits, credential rotation, and rebuilding trust.
Mitigation and next steps: Developers should audit lockfiles, pin package versions, rotate credentials and enable multi‑factor authentication on maintainer accounts. Wallet vendors like MetaMask said they were not affected because they lock code versions and use runtime protections such as LavaMoat and address‑blocking tools. Organizations should treat this as a reminder to improve supply‑chain hygiene and monitoring.
Source: Security Alliance. Read the original coverage for full details.