A supply chain attack is currently hitting the JavaScript ecosystem. By compromising the account of a well-known developer, attackers injected malware into several widely used NPM modules. This malware can modify receiving addresses in real time during cryptocurrency transactions.
Key takeaways
- A well-known developer in the NPM ecosystem had his account compromised.
- Several popular libraries such as chalk and strip-ansi were infected.
- The malware acts as a crypto-clipper, replacing crypto receiving addresses.
- The attack could have had a major impact, but actual losses are limited to approximately 500$.
- SwissBorg also announced a loss of 193,000 SOL (approximately 41 million $) due to a separate breach.
Malware injected into NPM modules
The attack relies on a compromise of the “qix” account, the developer and maintainer of numerous JavaScript libraries. Malicious versions of packages such as chalk, colour-convert, error-ex, and is-core-module were released.
With several hundred million cumulative downloads each week, these libraries are integrated into thousands of Node.js projects, exposing a wide range of websites and applications.
The malware acts like a sophisticated crypto-clipper:
- It intercepts transactions,
- identifies Bitcoin, Ethereum, Solana, etc. addresses,
- then replaces them with those of the attacker.
The attack targets website displays as well as API responses and transaction signatures, making it particularly dangerous for users of software wallets.
Ultimately limited damage
Despite the potential for massive spread, the losses observed remain minimal. According to Arkham data, the attackers only managed to steal approximately 500$.
Errors made during the attack allowed for rapid detection and limited its effectiveness.
Recommend protective measures
Cybersecurity experts recommend several precautions:
- Use a hardware wallet (Ledger, Trezor) and carefully check the address displayed on the device before signing.
- Temporarily avoid on-chain transactions with a software wallet until the situation stabilises.
- Remain vigilant against supply chain attacks, considered one of the most dangerous vectors.
Meanwhile: SwissBorg affected by a separate vulnerability
Meanwhile, the SwissBorg exchange confirmed a loss of 193,000 SOL, linked to a vulnerability in its partner Kiln. Although the incident affected less than 1% of users, the amount is equivalent to approximately 41 million $.
SwissBorg immediately compensated the losses using its treasury and maintains that its application remains secure. Affected users will be contacted individually.
