The NPM account of a trusted developer, known as qix, has been compromised, leading to malicious versions of dozens of widely used JavaScript packages. These packages have been downloaded over one billion times, raising concerns that the entire JavaScript ecosystem may be at risk.
The attack introduces a malware payload that silently swaps cryptocurrency addresses during transactions, allowing attackers to hijack funds.
Understanding the Attack
Supply chain attacks target the tools and dependencies that developers rely on rather than individual users directly. In this case, the attacker gained access to qix’s NPM account and published altered package versions. Developers who automatically update their dependencies could inadvertently include malicious code in their projects.
🚨 There’s a large-scale supply chain attack in progress: the NPM account of a reputable developer has been compromised. The affected packages have already been downloaded over 1 billion times, meaning the entire JavaScript ecosystem may be at risk.
The malicious payload works…
— Charles Guillemet (@P3b7_) September 8, 2025
The malware functions as a crypto-clipper. It intercepts wallet addresses in network requests and substitutes them with addresses controlled by the attacker. In effect, a developer could attempt a legitimate crypto transfer, only to have the funds redirected without noticing. Hardware wallet users are relatively safe as long as they carefully review every transaction before signing. However, anyone using software wallets should temporarily avoid on-chain transactions until the situation is fully understood.
🚨 Malware compromise on https://t.co/xyLWMGlnhe (cryptocurrency wallet drainer)
These packages have about a billion downloads
supports-hyperlinks
chalk-template
simple-swizzle
slice-ansi
error-ex
is-arrayish
wrap-ansi
backslash
color-string
color-convert
color
color-name— International Cyber Digest (@IntCyberDigest) September 8, 2025
This is not the first time the crypto and JavaScript communities have faced such risks. In 2021, a similar supply chain incident affected the UAParser.js library, causing widespread concern about malicious code propagation through dependencies. According to NPM’s own data, JavaScript remains the most widely used programming ecosystem, with billions of downloads weekly, highlighting the scale of potential impact when trusted packages are compromised.
NPM Supply Chain Attack Averted, But Risks Remain
Now, some hours later, Charles Guillemet, who reported the recent NPM supply chain attack, confirmed that the incident fortunately caused almost no victims. The attack started with a phishing email from a fake NPM support domain, which stole credentials and allowed the attackers to publish malicious package updates. The injected code targeted web crypto activity across Ethereum, Solana, and other chains, hijacking transactions by replacing wallet addresses in network responses. Mistakes by the attackers caused crashes in CI/CD pipelines, leading to early detection and limiting the impact.
Update on the NPM attack: The attack fortunately failed, with almost no victims.🔒
It began with a phishing email from a fake npm support domain that stole credentials and gave attackers access to publish malicious package updates. The injected code targeted web crypto activity,… https://t.co/Ud1SBSJ52v pic.twitter.com/lOik6k7Dkp
— Charles Guillemet (@P3b7_) September 9, 2025
Guillemet emphasized that funds in software wallets or on exchanges remain vulnerable, as a single code execution could result in loss. Hardware wallets offer protection through features like Clear Signing and Transaction Checks, letting users verify actions and flag suspicious activity. While the immediate threat has passed, the attack serves as a stark reminder that supply chain compromises are a powerful malware vector, and vigilance remains essential.
Many major crypto and wallet companies have publicly confirmed that they were not affected by the recent NPM supply chain attack. Hardware wallet providers like Ledger and Trezor emphasized that their devices remain secure due to manual transaction verification. Popular software wallets, including MetaMask, Trust Wallet, and Phantom, also reported no compromise, advising users to continue verifying transaction details. Exchanges and DeFi platforms, such as Uniswap, confirmed that their applications and smart contracts were not impacted by the malicious NPM packages. These statements reassure users that, despite the wide-reaching nature of the attack, the leading crypto services have maintained security and integrity.
As a MetaMask user, you do not need to be scared of the supply chain attack that took place earlier today.
MetaMask has multiple layers of defense to protect our products and users:
– Basic Security: We lock our versions, don’t push directly to main, have manual and automated…
— MetaMask.eth 🦊 (@MetaMask) September 8, 2025
How to Protect Yourself
Developers should immediately audit their project dependencies. Pin affected packages to their last known safe versions using the overrides feature in package.json. Avoid blindly updating packages without reviewing change logs or security advisories. For crypto users, consider confirming transaction details on hardware wallets and pausing transactions from software wallets until the ecosystem stabilizes.
Staying informed is critical. Monitoring NPM advisories, security forums, and developer communities can provide early warnings of similar attacks. Companies building blockchain applications should also consider automated dependency scanning tools to detect suspicious changes before they reach production. You can see more info in this blog post.
Disclaimer
The information discussed by Altcoin Buzz is not financial advice. This is for educational, entertainment, and informational purposes only. Any information or strategies presented are the thoughts and opinions of the writer/reviewers, and their risk tolerance may differ from yours. We are not responsible for any losses you may incur due to any investments directly or indirectly related to the information provided. Bitcoin and other cryptocurrencies are high-risk investments; therefore, please conduct your due diligence. Copyright Altcoin Buzz Pte Ltd.
The post NPM Supply Chain Attack Puts Crypto at Risk appeared first on Altcoin Buzz.
