Attackers compromised a developer’s NPM account and inserted malicious code into widely used libraries – chalk, strip-ansi, and color-convert. These infected packages are downloaded more than a billion times per week, putting both users and software at risk. The malware alters the recipient’s address during an on-chain operation, redirecting funds to the attackers. Although losses so far are reported at less than $50, the incident has been widely recognized as one of the largest supply chain breaches.
Scale of the Breach and Attack Mechanism
The attackers sent phishing emails disguised as NPM support. By tricking a developer into a fake two-factor authentication update page, they gained account access and uploaded malicious updates.
Aikido Security researcher Charlie Eriksen noted that the attack spanned multiple layers – modifying the UI, API calls, and application behavior – highlighting its serious scale.
Ledger CTO Charles Guillemet warned that the compromised packages are downloaded over 1 billion times, posing a threat to the entire JavaScript ecosystem. The malicious clipper can propagate into active applications and alter addresses, enabling interception of cryptocurrency at the point of transaction confirmation.
Wallet users are urged to exercise caution, especially when using built-in web interfaces. Fraudulent operations may still occur even if no data was manually entered.
Losses to Date
According to Security Alliance researchers and SEAL expert Samczsun, the attackers managed to steal less than $50. Specifically, they obtained only $0.05 in ETH and around $20 in memecoins including Andy, BRETT, DORK, and others. This confirms that while the attack was large in scope, it was ineffective in execution.
Market Reaction and Industry Feedback
Platforms such as Ledger and MetaMask announced that their wallets remain secure thanks to multi-layer protections. Phantom, Uniswap, Aerodrome, Blast, Blockstream Jade, and Revoke.cash confirmed that they are running safe versions of the libraries.
DefiLlama founder (0xngmi) cautioned that the greatest risks lie with projects that updated dependencies after the attack. Users are advised to double-check recipient addresses and, where possible, avoid using services until the threat is fully mitigated.
This post is for informational purposes only and is not advertising or investment advice. Please do your own research before making any decisions.