A phishing email on Monday took down one of Node.js’s most prolific developers by pushing malicious code into packages downloaded billions of times a week, in what researchers call the largest software supply-chain attack in recent times.
While the scope of the attack is massive, Security Alliance said in a Tuesday report that the attacker walked away with barely a few cents. However, security teams now face the substantial cost of updating backend systems to counter further attacks.
A very popular maintainer whose work (like chalk and debug-js) gets used in billions of downloads every week, known as “qix,” responsible for libraries such as chalk and debug-js, was compromised last week after receiving an email from support@npmjs[.]help. The domain once pointed to a Russian server and redirected to a spoofed two-factor authentication page hosted on the content delivery network BunnyCDN.
The credential stealer harvested username, password, and 2FA codes before sending them to a remote host. With full access, the attacker republished every qix package with a crypto-focused payload.
Node Package Manager (shortened to npm, not NPM) is like an app store for developers and is where coders download little building blocks of code (called packages) instead of writing everything from scratch. A maintainer is the person or entity who creates and updates those packages.
How the attack happened
The injected code was simple. It checked if window.ethereum was present and, if so, hooked into Ethereum’s core transaction functions. Calls to approve, permit, transfer, or transferFrom were silently rerouted to a single wallet, “0xFc4a4858bafef54D1b1d7697bfb5c52F4c166976.”
Any Ethereum transaction with value and no data was also redirected. For Solana, the malware overwrote recipients with an invalid string beginning “1911…,” breaking transfers outright.
Network requests were also intercepted.
By hijacking fetch and XMLHttpRequest, the malware scanned JSON responses for substrings resembling wallet addresses and replaced them with one of 280 hardcoded alternatives to look deceptively similar.
Impact of the attack
But for all the distribution, the impact was negligible.
On-chain data shows the attacker received only around five cents of ether and about $20 worth of an illiquid memecoin that traded less than $600 in volume, the Security Alliance report said.
Popular browser wallet MetaMask also said on X that it was not affected by the npm supply chain attack as the wallet locks its code versions, uses manual and automated checks, and releases updates in stages. It also employs “LavaMoat,” which blocks malicious code even if inserted, and “Blockaid,” which rapidly flags compromised wallet addresses, to keep such attacks at bay.
Meanwhile, Ledger CTO Charles Guillemet warned that the malicious code had been pushed into packages with over a billion downloads and was designed to silently replace wallet addresses in transactions.
The attack follows another case flagged last week by ReversingLabs, where npm packages used Ethereum smart contracts to conceal malware links — a technique that disguised command-and-control traffic as ordinary blockchain calls.
Source: https://www.coindesk.com/markets/2025/09/09/ethereum-solana-wallets-targeted-in-massive-npm-attack-but-just-5-cents-taken
