Crypto-Stealing Malware Infiltrates Core JavaScript Libraries Used by Millions

The NPM (node packet manager) account of developer ‘qix’ was compromised, allowing hackers to publish malicious versions of his packages.

The attackers published malicious versions of dozens of extremely popular JavaScript packages, including fundamental utilities. The hack was massive in scope since the affected packages have over 1 billion combined weekly downloads.

This attack on the software supply chain specifically targets the JavaScript/Node.js ecosystem.

NPM Supply Chain Attack

Popular dev qix fell victim to phishing. Malicious code injected into npm packages now hijacks crypto transactions at signing.

Attack method:
• Hooks wallet functions (request/send)
• Swaps recipient addresses in ETH/SOL transactions
• Replaces… pic.twitter.com/Jn9H4HWP8v

— Scam Sniffer | Web3 Anti-Scam (@realScamSniffer) September 8, 2025

Crypto Clipper Malware

The malicious code was a “crypto-clipper” designed to steal cryptocurrency by swapping wallet addresses in network requests and hijacking crypto transactions directly. It was also heavily obfuscated to avoid detection.

The crypto-stealing malware has two attack vectors. When no crypto wallet extension is found, the malware intercepts all network traffic by replacing the browser’s native fetch and HTTP request functions with extensive lists of attacker-owned wallet addresses.

Using sophisticated address swapping, it employs algorithms to find replacement addresses that look visually similar to legitimate ones, making the fraud nearly impossible to spot with the naked eye, said cybersecurity researchers.

If a crypto wallet is found, the malware intercepts transactions before signing, and when users initiate transactions, it modifies them in memory to redirect funds to attacker addresses.

The attack targeted packages such as ‘chalk,’ ‘strip-ansi,’ ‘color-convert,’ and ‘color-name,’ which are core building blocks buried deep in the dependency trees of countless projects.

The attack was discovered accidentally when a build pipeline failed with a “fetch is not defined” error as the malware attempted to exfiltrate data using the fetch function.

“If you use a hardware wallet, pay attention to every transaction before signing, and you’re safe. If you don’t use a hardware wallet, refrain from making any on-chain transactions for now,” advised Ledger CEO Charles Guillemet.

Explanation of the current npm hack

In any website that uses this hacked dependency, it gives a chance to the hacker to inject malicious code, so for example when you click a “swap” button on a website, the code might replace the tx sent to your wallet with a tx sending money to…

— 0xngmi (@0xngmi) September 8, 2025

Broad Attack Vector

While the malware’s payload specifically targets cryptocurrency, the attack vector is much broader. It affects any environment running JavaScript/Node.js applications, such as web applications running in browsers, desktop applications, server-side Node.js applications, and mobile apps using JavaScript frameworks.

So a regular business web application could unknowingly include these malicious packages, but the malware would only activate when users interact with cryptocurrency on that site.

Uniswap and Blockstream were among the first to reassure users that their systems were not at risk.

Regarding the reports of the NPM supply chain attack:

Uniswap apps are not at risk

Our team has confirmed that we do not use any vulnerable versions of the affected packages

As always, be vigilant

— Uniswap Labs (@Uniswap) September 8, 2025