In early September 2025, attackers compromised a widely used npm account belonging to a well‑known developer. By sending a convincing phishing email impersonating npm support, they stole the maintainer’s credentials and pushed malicious updates to eighteen popular packages like chalk, strip‑ansi and color‑convert. These packages collectively saw billions of downloads each week. The rogue updates contained a crypto‑clipping malware that secretly replaces cryptocurrency addresses during transactions.
The malware uses the Levenshtein algorithm to identify wallet addresses and swap them with addresses controlled by the attackers across Bitcoin, Ethereum, Solana, Tron, Litecoin and Bitcoin Cash. It hooks into browser functions and monitors clipboard activity, modifying addresses in memory before the victim signs the transaction. Developers can mitigate similar supply‑chain attacks by auditing dependencies, enabling two‑factor authentication on package registries, and using package‑lock overrides to pin trusted versions.
Sources
[1] PlayToEarn, “NPM Supply Chain Attack Exposes Over 2 Billion Weekly Downloads to Crypto Wallet Malware” (Sept 9 2025). https://playtoearn.net/news/npm-supply-chain-attack-exposes-over-2-billion-weekly-downloads-to-crypto-wallet-malware.
redsec.ninja 
Leave a comment