Hackers Exploit JavaScript Developer Accounts in Massive Crypto Malware Attack
A major supply-chain attack has infiltrated widely
used JavaScript packages, potentially putting billions of dollars in crypto at
risk. Charles Guillemet, chief technology officer at hardware wallet maker
Ledger, warned that hackers have compromised a reputable developer’s Node
Package Manager (NPM) account to push malicious code into packages downloaded
more than a billion times.
The injected malware is designed to quietly swap
cryptocurrency wallet addresses in transactions, meaning users could
unknowingly send funds directly to attackers. “The malicious code attempts to
drain users by swapping addresses used in transactions or general on-chain
activity and replacing them with the hacker’s address,” Guillemet explained.
🚨 There’s a large-scale supply chain attack in progress: the NPM account of a reputable developer has been compromised. The affected packages have already been downloaded over 1 billion times, meaning the entire JavaScript ecosystem may be at risk.
The malicious payload works…
— Charles Guillemet (@P3b7_) September 8, 2025
Supply Chain Attack Hits Deep Into Developer Ecosystem
NPM is a core tool in JavaScript development, widely
used to integrate external packages into applications. When a developer’s
account is compromised, attackers can slip malware into packages that
developers then unknowingly deploy in decentralized applications or software
wallets.
Security researchers warn that software wallet users
are particularly vulnerable, while hardware wallets remain largely protected. According to Oxngmi, founder of DefiLlama, the code
does not automatically drain wallets. Users must still approve transactions,
but compromised packages can silently change transaction details.
Explanation of the current npm hack
In any website that uses this hacked dependency, it gives a chance to the hacker to inject malicious code, so for example when you click a “swap” button on a website, the code might replace the tx sent to your wallet with a tx sending money to…
— 0xngmi (@0xngmi) September 8, 2025
Developers who pin dependencies to older, safe
versions may avoid exposure, but users cannot easily verify which sites are
safe. Experts recommend avoiding crypto transactions until affected packages
are cleaned up.
Phishing Emails and Account Takeover
The breach began with phishing emails sent to NPM
maintainers, claiming their accounts would be locked unless they “updated”
two-factor authentication by Sept. 10.
The fake site captured credentials, giving attackers
control of developer accounts. From there, malicious updates were pushed to
packages downloaded billions of times.
Charlie Eriksen of Aikido Security said the attack
operates “at multiple layers: altering content shown on websites, tampering
with API calls, and manipulating what users’ apps believe they are signing.”
ATTACK UPDATE: A massive supply-chain compromise has affected packages with over 2 billion weekly downloads, targeting *CRYPTO*
Here’s how it works 👇
1) Injects itself into the browser
Hooks core functions like fetch, XMLHttpRequest, and wallet APIs (window.ethereum, Solana,…
— Aikido Security (@AikidoSecurity) September 8, 2025
Technical Details of the Crypto-Targeted Malware
The malware hooks into core browser functions and
wallet APIs such as window.ethereum and Solana, allowing it to intercept both
web traffic and wallet activity. By doing so, attackers can redirect crypto
transactions before users notice.
Developers and users are urged to review dependencies
and delay crypto transactions until the packages are verified safe. The
incident underscores the risks inherent in widely used open-source software and
the potential for supply-chain attacks to affect billions of users.
A major supply-chain attack has infiltrated widely
used JavaScript packages, potentially putting billions of dollars in crypto at
risk. Charles Guillemet, chief technology officer at hardware wallet maker
Ledger, warned that hackers have compromised a reputable developer’s Node
Package Manager (NPM) account to push malicious code into packages downloaded
more than a billion times.
The injected malware is designed to quietly swap
cryptocurrency wallet addresses in transactions, meaning users could
unknowingly send funds directly to attackers. “The malicious code attempts to
drain users by swapping addresses used in transactions or general on-chain
activity and replacing them with the hacker’s address,” Guillemet explained.
🚨 There’s a large-scale supply chain attack in progress: the NPM account of a reputable developer has been compromised. The affected packages have already been downloaded over 1 billion times, meaning the entire JavaScript ecosystem may be at risk.
The malicious payload works…
— Charles Guillemet (@P3b7_) September 8, 2025
Supply Chain Attack Hits Deep Into Developer Ecosystem
NPM is a core tool in JavaScript development, widely
used to integrate external packages into applications. When a developer’s
account is compromised, attackers can slip malware into packages that
developers then unknowingly deploy in decentralized applications or software
wallets.
Security researchers warn that software wallet users
are particularly vulnerable, while hardware wallets remain largely protected. According to Oxngmi, founder of DefiLlama, the code
does not automatically drain wallets. Users must still approve transactions,
but compromised packages can silently change transaction details.
Explanation of the current npm hack
In any website that uses this hacked dependency, it gives a chance to the hacker to inject malicious code, so for example when you click a “swap” button on a website, the code might replace the tx sent to your wallet with a tx sending money to…
— 0xngmi (@0xngmi) September 8, 2025
Developers who pin dependencies to older, safe
versions may avoid exposure, but users cannot easily verify which sites are
safe. Experts recommend avoiding crypto transactions until affected packages
are cleaned up.
Phishing Emails and Account Takeover
The breach began with phishing emails sent to NPM
maintainers, claiming their accounts would be locked unless they “updated”
two-factor authentication by Sept. 10.
The fake site captured credentials, giving attackers
control of developer accounts. From there, malicious updates were pushed to
packages downloaded billions of times.
Charlie Eriksen of Aikido Security said the attack
operates “at multiple layers: altering content shown on websites, tampering
with API calls, and manipulating what users’ apps believe they are signing.”
ATTACK UPDATE: A massive supply-chain compromise has affected packages with over 2 billion weekly downloads, targeting *CRYPTO*
Here’s how it works 👇
1) Injects itself into the browser
Hooks core functions like fetch, XMLHttpRequest, and wallet APIs (window.ethereum, Solana,…
— Aikido Security (@AikidoSecurity) September 8, 2025
Technical Details of the Crypto-Targeted Malware
The malware hooks into core browser functions and
wallet APIs such as window.ethereum and Solana, allowing it to intercept both
web traffic and wallet activity. By doing so, attackers can redirect crypto
transactions before users notice.
Developers and users are urged to review dependencies
and delay crypto transactions until the packages are verified safe. The
incident underscores the risks inherent in widely used open-source software and
the potential for supply-chain attacks to affect billions of users.
