A new cyberattack is silently targeting crypto from users during transactions amid an incident that security researchers describe as the largest supply chain attack in history.
BleepingComputer reported that hackers compromised NPM package maintainer accounts through phishing emails and injected malware that steals crypto.
The attack targeted JavaScript developers with fraudulent emails appearing to originate from “[email protected],” an impersonated domain mimicking the legitimate NPM registry.
The phishing messages warned maintainers that their accounts would be locked on Sept. 10, unless they updated their two-factor authentication credentials through a malicious link.
Attackers successfully compromised 18 widely-used JavaScript packages with collective weekly downloads exceeding 2.6 billion.
The compromised libraries include fundamental development tools such as “chalk” (300 million weekly downloads), “debug” (358 million), and “ansi-styles” (371 million), affecting virtually the entire JavaScript ecosystem.
Targeting crypto
The malicious code operates as a browser-based interceptor, monitoring network traffic for crypto transactions across Ethereum, Bitcoin, Solana, Tron, Litecoin, and Bitcoin Cash networks.
When users initiate crypto transfers, the malware silently replaces destination wallet addresses with attacker-controlled accounts before transaction signing.
Aikido Security researcher Charlie Eriksen explained:
The Crypto Investor Blueprint: A 5-Day Course On Bagholding, Insider Front-Runs, and Missing Alpha
“What makes it dangerous is that it operates at multiple layers: altering content shown on websites, tampering with API calls, and manipulating what users’ apps believe they are signing.”
Ledger CTO Charles Guillemet warned crypto users about the ongoing threat, noting the JavaScript ecosystem may be compromised given the massive download figures.
Hardware wallet users retain protection if they verify transaction details before signing, while software wallet users face a higher risk. Guillemet advised:
“If you don’t use a hardware wallet, refrain from making any on-chain transactions for now.”
He also noted uncertainty about whether attackers can directly extract seed phrases from software wallets.
Sophisticated targeting
The attack represents a sophisticated supply chain targeting where criminals compromise trusted development infrastructure to reach end users.
By infiltrating packages downloaded billions of times weekly, attackers gained unprecedented access to cryptocurrency applications and wallet interfaces.
BleepingComputer identified the phishing infrastructure exfiltrating credentials to “websocket-api2.publicvm.com,” demonstrating the coordinated nature of the operation.
This incident follows similar JavaScript library compromises throughout 2025, including the July attack on “eslint-config-prettier,” which had 30 million weekly downloads, and March compromises affecting ten popular NPM libraries.
Mentioned in this article
