Compromised files replace npm packages with a combined 2 billion weekly downloads

Over a dozen popular npm packages were compromised in a phishing-based supply chain attack
The malware targeted crypto users by hijacking wallet addresses during transactions
Some called it the most widespread npm compromise to date, affecting 2 billion weekly downloads

More than a dozen npm packages with two billion downloads a week were compromised in a supply chain attack that targeted cryptocurrency users.

Researchers at Aikido Security spotted a maintainer account Qix (real name Josh Junon) publishing malicious updates. In less than an hour, multiple versions were uploaded, and soon after Junon himself confirmed the attack and apologized for the mess,

“Yep, I’ve been pwned. 2FA reset email, looked very legitimate,” Junon wrote on Bluesky, confirming that the breach started with a convincing phishing email.

Targeting crypto users

“Only NPM affected, I’ve sent an email off to @npmjs.bsky.social to see if I can get access again. Sorry everyone, I should have paid more attention. Not like me; have had a stressful week. Will work to get this cleaned up,” he stressed, showing how even the most careful people can get hit if they lower their guard.

According to The Hacker News, this is the list of 20 compromised packages, cumulatively counting 2 billion weekly downloads:

At the same time, CyberInsider described it as “the most widespread supply chain compromise in the history of the npm ecosystem.”

The malware being distributed through the packages apparently targeted cryptocurrency users. It is designed to intercept crypto transactions by swapping out the destination wallet address with one controlled by the attackers. Ethereum, Solana, Bitcoin, Tron, Litecoin, and Bitcoin Cash seem to be the chains targeted in this campaign.

Via The Hacker News