The NPM (node packet manager) account of developer \u2018qix\u2019 was compromised, allowing hackers to publish malicious versions of his packages.<\/p>\n
The attackers <\/a>published malicious versions of dozens of extremely popular JavaScript packages, including fundamental utilities. The hack was massive in scope since the affected packages have over 1 billion combined weekly downloads.<\/p>\n This attack on the software supply chain specifically targets the JavaScript\/Node.js ecosystem.<\/p>\n NPM Supply Chain Attack<\/p>\n Popular dev qix fell victim to phishing. Malicious code injected into npm packages now hijacks crypto transactions at signing.<\/p>\n Attack method: \u2014 Scam Sniffer | Web3 Anti-Scam (@realScamSniffer) September 8, 2025<\/a><\/p>\n\n The malicious code was a \u201ccrypto-clipper\u201d designed to steal cryptocurrency by swapping wallet addresses in network requests and hijacking crypto transactions directly. It was also heavily obfuscated to avoid detection.<\/p>\n The crypto-stealing malware<\/a> has two attack vectors. When no crypto wallet extension is found, the malware intercepts all network traffic by replacing the browser\u2019s native fetch and HTTP request functions with extensive lists of attacker-owned wallet addresses.<\/p>\n Using sophisticated address swapping, it employs algorithms to find replacement addresses that look visually similar to legitimate ones, making the fraud nearly impossible to spot with the naked eye, said<\/a> cybersecurity researchers.<\/p>\n If a crypto wallet is found, the malware intercepts transactions before signing, and when users initiate transactions, it modifies them in memory to redirect funds to attacker addresses.<\/p>\n The attack targeted packages such as \u2018chalk,\u2019 \u2018strip-ansi,\u2019 \u2018color-convert,\u2019 and \u2018color-name,\u2019 which are core building blocks buried deep in the dependency trees of countless projects.<\/p>\n The attack was discovered accidentally when a build pipeline failed with a \u201cfetch is not defined\u201d error as the malware attempted to exfiltrate data using the fetch function.<\/p>\n \u201cIf you use a hardware wallet, pay attention to every transaction before signing, and you\u2019re safe. If you don\u2019t use a hardware wallet, refrain from making any on-chain transactions for now,\u201d advised<\/a> Ledger CEO Charles Guillemet.<\/p>\n Explanation of the current npm hack<\/p>\n In any website that uses this hacked dependency, it gives a chance to the hacker to inject malicious code, so for example when you click a \u201cswap\u201d button on a website, the code might replace the tx sent to your wallet with a tx sending money to\u2026<\/p>\n \u2014 0xngmi (@0xngmi) September 8, 2025<\/a><\/p>\n\n While the malware\u2019s payload specifically targets cryptocurrency, the attack vector is much broader. It\u00a0affects any environment running JavaScript\/Node.js applications, such as web applications running in browsers, desktop applications, server-side Node.js applications, and mobile apps using JavaScript frameworks.<\/p>\n So a regular business web application could unknowingly include these malicious packages, but the malware would only activate when users interact with cryptocurrency on that site.<\/p>\n Uniswap<\/a> and Blockstream<\/a> were among the first to reassure users that their systems were not at risk.<\/p>\n Regarding the reports of the NPM supply chain attack:<\/p>\n Uniswap apps are not at risk<\/p>\n Our team has confirmed that we do not use any vulnerable versions of the affected packages<\/p>\n As always, be vigilant<\/p>\n \u2014 Uniswap Labs (@Uniswap) September 8, 2025<\/a><\/p>\n\n The post Crypto-Stealing Malware Infiltrates Core JavaScript Libraries Used by Millions<\/a> appeared first on CryptoPotato<\/a>.<\/p>","protected":false},"excerpt":{"rendered":" The NPM (node packet manager) account of developer \u2018qix\u2019 was compromised, allowing hackers to publish malicious versions of his packages. The attackers published malicious versions of dozens of extremely popular JavaScript packages, including fundamental utilities. The hack was massive in scope since the affected packages have over 1 billion combined weekly downloads. This attack on […]<\/p>\n","protected":false},"author":0,"featured_media":95179,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[4],"tags":[],"class_list":["post-95178","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-discovery"],"_links":{"self":[{"href":"https:\/\/mycryptomania.com\/index.php?rest_route=\/wp\/v2\/posts\/95178"}],"collection":[{"href":"https:\/\/mycryptomania.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/mycryptomania.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"replies":[{"embeddable":true,"href":"https:\/\/mycryptomania.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=95178"}],"version-history":[{"count":0,"href":"https:\/\/mycryptomania.com\/index.php?rest_route=\/wp\/v2\/posts\/95178\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/mycryptomania.com\/index.php?rest_route=\/wp\/v2\/media\/95179"}],"wp:attachment":[{"href":"https:\/\/mycryptomania.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=95178"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/mycryptomania.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=95178"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/mycryptomania.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=95178"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}
\n\u2022 Hooks wallet functions (request\/send)
\n\u2022 Swaps recipient addresses in ETH\/SOL transactions
\n\u2022 Replaces\u2026 pic.twitter.com\/Jn9H4HWP8v<\/a><\/p>\nCrypto Clipper Malware<\/h2>\n
Broad Attack Vector<\/h2>\n