TLDR
- Over 2 billion weekly downloads of 18 compromised npm packages including chalk, debug, and strip-ansi put JavaScript ecosystem at risk
- Malware functions as crypto clipper, swapping wallet addresses during transactions to redirect funds to attacker wallets
- Attack began when developer “qix” fell victim to phishing email impersonating NPM support, allowing hackers to inject malicious code
- Only $497 stolen so far despite massive potential reach, with hardware wallet users remaining safe due to device-level confirmation
- Major protocols like Uniswap, Jupiter, and MetaMask assured users their platforms remain secure
A major supply chain attack hit the JavaScript ecosystem on September 8, 2025, when hackers compromised 18 popular Node.js packages to steal cryptocurrency from users. The attack affected libraries with over 2 billion weekly downloads, making it one of the largest npm supply chain attacks in recent history.
A massive supply chain attack just hit the JavaScript ecosystem.
18 core NPM packages were hacked, including chalk, strip ansi and debug.
These libraries have over 2 billion weekly downloads.
Here’s what happened, how it affects crypto and how to stay safe 🧵
(1/8) pic.twitter.com/KcUnfxjNIH
— StarPlatinum (@StarPlatinumSOL) September 8, 2025
The breach began when a respected developer known as “qix” received a phishing email impersonating official NPM support. The developer fell for the fake login page, allowing attackers to hijack their account and publish malicious updates to widely-used JavaScript libraries.
The compromised packages included high-profile libraries such as chalk, debug, ansi-styles, and strip-ansi. These packages form core dependencies in countless web applications and crypto projects across the JavaScript ecosystem.
How the Crypto Clipper Works
The malware operates as a crypto clipper, silently replacing copied cryptocurrency wallet addresses with similar-looking addresses controlled by the attackers. The malicious code uses Levenshtein distance logic to create lookalike addresses that appear legitimate to users.
When users copy wallet addresses for transactions, the malware swaps them with attacker-controlled addresses. This technique targets users of popular wallets like MetaMask and Phantom, as well as decentralized finance applications.
The attack specifically focused on hijacking wallet addresses during crypto transactions. Users making transfers without careful verification could unknowingly send funds to the wrong destination.
Despite the massive potential reach, researchers tracking the attack wallets found only $497.96 stolen at the time of reporting. The relatively low theft amount suggests either limited exploitation or that security measures prevented larger losses.
Hardware Wallet Protection
Ledger CTO Charles Guillemet warned users about the attack and emphasized hardware wallet safety. He explained that hardware wallet users remain protected if they verify transaction details on their devices before signing.
“If you use a hardware wallet, pay attention to every transaction before signing and you’re safe,” Guillemet advised. Hardware wallets require device-level confirmation, preventing the address swap from going unnoticed.
🚨 There’s a large-scale supply chain attack in progress: the NPM account of a reputable developer has been compromised. The affected packages have already been downloaded over 1 billion times, meaning the entire JavaScript ecosystem may be at risk.
The malicious payload works…
— Charles Guillemet (@P3b7_) September 8, 2025
Users without hardware wallets faced higher risk during the attack period. Guillemet recommended these users avoid making on-chain transactions until the threat was contained.
Industry Response
Major cryptocurrency protocols quickly responded to assure users of their safety. Uniswap, SUI, and Jupiter confirmed they were not affected by the attack but advised continued caution.
Popular wallet providers including Ledger and MetaMask assured users that their multi-layered security measures remained intact. These platforms emphasized existing protections against such supply chain attacks.
The npm registry team worked to remove the malicious packages and restore clean versions. The compromised libraries were identified and patched within hours of discovery.
Security researchers from various firms collaborated to track the attack wallets and assess the damage. They identified the main wallet addresses linked to the breach and monitored for additional connected accounts.
The attack highlighted vulnerabilities in open-source package management systems. A single compromised maintainer account created ripple effects across global software and financial systems.
The September 8 date also saw other crypto security incidents, including a $41 million exploit at Swiss platform SwissBorg and the shutdown of Ethereum L2 project Kinto following an earlier hack.
