SCHEDULE A CALL

Hackers Hijacked 18 Very Popular npm Packages With 2 Billion Weekly Downloads

In the largest supply chain attack, hackers compromised 18 popular npm packages, which together account for over two billion downloads per week. The attack, which began on September 8th, involved injecting malicious code designed to steal cryptocurrency from users.

The compromised packages include widely used libraries such as chalkdebugansi-styles, and supports-color. The malicious code was added in new versions of these packages and was engineered to execute on the client-side of websites using them.

The malware silently intercepts cryptocurrency and Web3 activities within the browser, manipulating wallet interactions and rewriting payment destinations to redirect funds to attacker-controlled accounts.

The malware operates as a sophisticated in-browser interceptor, targeting both network traffic and application-level APIs. It achieves this by hooking into core browser functions like fetch XMLHttpRequest, as well as interfaces for popular crypto wallets for Ethereum, Solana, and other blockchains, Akidio observed.

The malicious code works in a series of steps:

  1. Injection and Hooking: It embeds itself into the browser environment and takes control of functions related to web requests and wallet communications.

  2. Scanning for Sensitive Data: The malware actively scans network responses and transaction details for patterns matching cryptocurrency wallet addresses for various blockchains, including Bitcoin, Ethereum, Solana, Tron, Litecoin, and Bitcoin Cash.

  3. Rewriting Wallet Addresses: Upon finding a legitimate address, the malware replaces it with a look-alike address from a hardcoded list belonging to the attackers. This is done using string-matching algorithms to make the swap less noticeable to the user.

  4. Hijacking Transactions: The code alters transaction parameters before the user signs them. This means that even if the user interface displays the correct recipient address, the signed transaction will route funds or grant token approvals to the attackers.

The maintainer of the compromised packages revealed they fell victim to a phishing attack. An email, seemingly from npm support, was sent from the domain npmjs.help, tricking the developer into revealing their credentials, according to a Hacker News post.

This domain was registered only three days before the attack on September 5, 2025.

Phishing Mail compromised the developer

The maintainer became aware of the compromise and began taking steps to remove the malicious versions of the packages. However, at the time of the report, at least one package, simple-swizzle, remained compromised.

The incident also revealed that the same attackers may have compromised another package, proto-tinker-wc, using similar methods.

The following table lists the affected packages and the compromised versions:

Package Malicious Version
backslash 0.2.1
chalk-template 1.1.1
supports-hyperlinks 4.1.1
has-ansi 6.0.1
simple-swizzle 0.2.3
color-string 2.1.1
error-ex 1.3.3
color-name 2.0.1
is-arrayish 0.3.3
slice-ansi 7.1.1
color-convert 3.1.1
wrap-ansi 9.0.1
ansi-regex 6.2.1
supports-color 10.2.1
strip-ansi 7.1.1
chalk 5.6.1
debug 4.4.2
ansi-styles 6.2.2

Powered by

  • iSecurify Facebook iSecurify LinkedIn
Useful links
Contact Us
  • Email: info@isecurify.co
©2024 iSecurify. All Rights Reserved.