Hackers have compromised widely used JavaScript software libraries in what’s being called the largest supply chain attack in history. The injected malware is reportedly designed to steal crypto by swapping wallet addresses and intercepting …
Hackers have compromised widely used JavaScript software libraries in what’s being called the largest supply chain attack in history. The injected malware is reportedly designed to steal crypto by swapping wallet addresses and intercepting transactions.
According to several reports on Monday, hackers broke into the node package manager (NPM) account of a well-known developer and secretly added malware to popular JavaScript libraries used by millions of apps.
The malicious code swaps or hijacks crypto wallet addresses, putting billions of downloads’ worth of projects at risk.
“There’s a large-scale supply chain attack in progress: the NPM account of a reputable developer has been compromised," Ledger chief technology officer Charles Guillemet warned on Monday. “The affected packages have already been downloaded over 1 billion times, meaning the entire JavaScript ecosystem may be at risk.”
The breach targeted packages such as chalk, strip-ansi and color-convert — small utilities buried deep in the dependency trees of countless projects. Together, these libraries are downloaded more than a billion times each week, meaning even developers who never installed them directly could be exposed.
NPM is like an app store for developers — a central library where they share and download small code packages to build JavaScript projects.
Attackers appear to have planted a crypto-clipper, a type of malware that silently replaces wallet addresses during transactions to divert funds. Security researchers warned that users relying on software wallets may be especially vulnerable, while those confirming every transaction on a hardware wallet are protected.
It remains unclear whether the malware also attempts to steal seed phrases directly.
This is a developing story, and further information will be added as it becomes available.
Magazine: Inside a 30,000 phone bot farm stealing crypto airdrops from real users
