These utilities underpin much of the modern web and collectively account for more than 2.6 billion weekly downloads. They're the kind of packages that get included in almost every JavaScript project without developers even realizing it.
Hackers compromised the npm account of Josh Goldberg, a well-known open-source maintainer known as "Qix," through a phishing campaign that targeted npm maintainers with emails impersonating the platform's support team.
These aren't flashy frameworks - they're the invisible building blocks that millions of websites and applications depend on, which is exactly what made this attack so devastating.
Something about this story is strange: So a NPM library has been downloaded a billion times is suddenly discovered to have BTC address-swapping code?
The only way I can see that as plausible is if some major exchange: Binance / Coinbase, etc is using said NPM library. What other "wallets" could account for a billion downloads?
I've checked about 10 of the 'bc1' bitcoin ones and don't see any transactions.
I've also checked some of the eth ones on etherscan and don't see any meaningful activity on those....(a few .000015 transactions, that may be test from original malware developer, but nothing significant).
So what does this mean? A billion downloads and no transactions?
The code first checks for the existence of window.ethereum, an object injected by wallet extensions like MetaMask. If no wallet is found, it proceeds with a passive attack.
Hmm...yes I forgot about MetaMask....thats probably the intended target.
Our package-lock.json specified the stable version 1.3.2 or newer, so it installed the latest version 1.3.3, which got published just a few minutes earlier.
I assume they meant package.json and this only happens when you run npm install, not npm ci?
Isn't my package-lock.json specifying exactly which version of dependencies to install for npm ci?
https://xcancel.com/P3b7_/status/1965094840959410230
from Claude...
Based on the research I've gathered, here are the 18 specific NPM packages that were compromised in this supply chain attack:
The Compromised Packages (with weekly download numbers):The Compromised Packages (with weekly download numbers):
Starting at September 8th, 13:16 UTC, these 18 very popular packages were compromised:
Highest Impact Packages:
Medium Impact Packages:
Lower Impact Packages:
What These Packages DoWhat These Packages Do
These are all fundamental utility packages that handle basic functions like:
The ScaleThe Scale
These utilities underpin much of the modern web and collectively account for more than 2.6 billion weekly downloads. They're the kind of packages that get included in almost every JavaScript project without developers even realizing it.
How the Attack HappenedHow the Attack Happened
Hackers compromised the npm account of Josh Goldberg, a well-known open-source maintainer known as "Qix," through a phishing campaign that targeted npm maintainers with emails impersonating the platform's support team.
These aren't flashy frameworks - they're the invisible building blocks that millions of websites and applications depend on, which is exactly what made this attack so devastating.
How the heck does an experienced open source maintainer fall for a phishing attack?
It must have been a very sophisticated and convincing phishing attempt?!
Ledger CTO warns users to halt onchain transactions amid massive NPM supply chain attack
Something about this story is strange: So a NPM library has been downloaded a billion times is suddenly discovered to have BTC address-swapping code?
The only way I can see that as plausible is if some major exchange: Binance / Coinbase, etc is using said NPM library. What other "wallets" could account for a billion downloads?
Yeah, I don't get it either. Good thing I use a wallet that doesn't use npm.
So here is the gist of all the swap addresses extracted from malware. https://gist.github.com/jdstaerk/f845fbc1babad2b2c5af93916dd7e9fb
I've checked about 10 of the 'bc1' bitcoin ones and don't see any transactions.
I've also checked some of the eth ones on etherscan and don't see any meaningful activity on those....(a few .000015 transactions, that may be test from original malware developer, but nothing significant).
So what does this mean? A billion downloads and no transactions?
Me neither. maybe folks are stepping up their game and checking the full address instead of just the beginning and end.
https://www.aikido.dev/blog/npm-debug-and-chalk-packages-compromised
from @evankaloudis
Hmm...yes I forgot about MetaMask....thats probably the intended target.
Thanks!
I assume they meant package.json and this only happens when you run
npm install, notnpm ci?Isn't my package-lock.json specifying exactly which version of dependencies to install for
npm ci?https://xcancel.com/BTCsessions/status/1965136278946763209