A clandestine cyber campaign is underway, siphoning digital currency from users during their transactions. Security experts are calling it potentially the biggest supply chain compromise ever witnessed.
According to reports, malicious actors gained control of NPM package maintainer accounts via targeted phishing campaigns, injecting malicious code designed to steal cryptocurrencies.
The scheme centered around misleading JavaScript developers with deceptive emails. These emails appeared to originate from what looked like a legitimate NPM registry domain, ”
[email protected],” but was actually a cleverly disguised fake.
These phishing emails ominously warned maintainers that their accounts faced imminent lockout on September 10th. The threat could only be averted, according to the emails, by urgently updating their two-factor authentication details through a provided, but malicious, link.
The attackers successfully breached 18 widely-used JavaScript packages. Collectively, these packages are downloaded over 2.6 billion times each week.
The affected packages include vital development tools such as “chalk” (downloaded 300 million times weekly), “debug” (358 million), and “ansi-styles” (371 million). This widespread infiltration effectively impacts almost the entire JavaScript software development ecosystem.
Targeting crypto
The rogue code functions as a browser-based interceptor. It diligently scrutinizes network traffic, specifically targeting cryptocurrency transactions across various blockchains, including
Ethereum,
Bitcoin,
Solana,
Tron,
Litecoin, and
Bitcoin Cash.
When a user initiates a cryptocurrency transfer, the malware silently replaces the intended recipient’s wallet address. It swaps it out with an address controlled by the attackers, all before the transaction is signed and broadcast to the network.
Aikido Security researcher Charlie Eriksen explained the severity:
The Crypto Investor Blueprint: A 5-Day Course On Bagholding, Insider Front-Runs, and Missing Alpha
“What makes it dangerous is that it operates at multiple layers: altering content shown on websites, tampering with API calls, and manipulating what usersâ apps believe they are signing.”
Ledger CTO
Charles Guillemet issued a warning to cryptocurrency users about the
ongoing risk,
highlighting the potential compromise of the JavaScript ecosystem due to the sheer volume of downloads affected.
Users of hardware wallets remain relatively protected, provided they meticulously verify transaction details before signing. However, those using software wallets are at considerably higher risk. Guillemet advises extreme caution:
“If you don’t use a hardware wallet, refrain from making any on-chain transactions for now.”
He also expressed uncertainty regarding the attackers’ ability to directly extract seed phrases from software wallets.
Sophisticated targeting
This attack exemplifies a sophisticated supply chain compromise. Criminals are targeting trusted development infrastructure to gain access to end users’ systems and funds.
By successfully infiltrating packages downloaded billions of times each week, the attackers have gained unprecedented access to a vast array of cryptocurrency applications and wallet interfaces.
Reports identified the phishing infrastructure, specifically “websocket-api2.publicvm.com,” as the destination for exfiltrated credentials. This finding underscores the coordinated nature and planning involved in this operation.
This incident follows a trend of similar JavaScript library compromises throughout 2025, including the July attack on “eslint-config-prettier” (30 million weekly downloads), and compromises affecting ten popular NPM libraries in March.