The NPM (Node Packet Manager) account of the developer ‘Qix’ was compromised, which allowed computer pirates to publish malicious versions of their packages.
The attackers published malicious versions of dozens of extremely popular JavaScript packages, including fundamental profits. The trick had a massive range since the affected packages have more than one billion combined weekly discharges.
This attack on the software supply chain is specifically directed to the Javascript/Node.js ecosystem.
NPM supply chain attack
The popular Dev Qix was a victim of Phishing. Malicious code injected into NPM packets now kidnaps cryptographic transactions in the firm.
Attack method:
• Hook wallet functions (request/send)
• Direct swaps destined in ETH/Sun transactions
• Replace … pic.twitter.com/jn9h4hwp8v– Scam sniffer | Web3 anti-SCAM (@realscamsniffer) September 8, 2025
Cryptogripted malware
The malicious code was a “crypto-corta” designed to steal cryptocurrencies by exchanging wallet addresses in network requests and kidnapping of cryptographic transactions directly. It was also very obfuscated to avoid detection.
Cryptographic malware has two attack vectors. When a cryptographic wallet extension is not found, malware intercepts all network traffic by replacing the native search and HTTP request functions of the browser with extensive wallet addresses owned by attackers.
Using the exchange of sophisticated addresses, it uses algorithms to find replacement addresses that are visually similar to the legitimate ones, which makes fraud almost impossible to detect with the naked eye, cyber security researchers said researchers.
If a cryptographic wallet is found, malware intercepts transactions before signing, and when users start transactions, it modifies them in memory to redirect the funds to the attacker’s addresses.
The attack went to packages such as ‘Chalk’, ‘Strip-Ansi’, ‘Color-Convert’ and ‘Color-Name’, which are central construction blocks buried in dependence trees of innumerable projects.
The attack was accidentally discovered when a compilation pipe failed with an error “is not defined”, since the malware tried to exfiltrated the data using the search function.
“If you use a hardware wallet, pay attention to each transaction before signing, and you are safe. If you do not wear a hardware wallet, refrain from making chain transactions for now,” said the Ledger CEO, Charles Guillemet.
Current NPM Hack Explanation
In any website that uses this pirated dependence, it provides the opportunity for the hacker to inject malicious code, so, for example, when clicking on a “exchange” button on a website, the code could replace the TX sent to your wallet with a TX that sends money to …
– 0xngmi (@0xngmi) September 8, 2025
Large attack vector
While malware payload is specifically directed to cryptocurrency, the attack vector is much broader. It affects any environment that runs Javascript/Node.js applications, such as web applications that are executed in browsers, desktop applications, node.js applications on the server side and mobile applications using JavaScript Frameworks.
Therefore, a regular commercial web application could include these malicious packages without knowing it, but malware would only be activated when users interact with cryptocurrency on that site.
Uniswap and Blockstream were one of the first to assure users that their systems were not at risk.
With respect to the reports of the NPM supply chain attack:
UNISWAP applications are not at risk
Our team has confirmed that we do not use any vulnerable version of the affected packages.
As always, be attentive
– Uniswap Labs (@uniswap) September 8, 2025
Free Binance $ 600 (Cryptopotato Exclusive): Use this link to record a new account and receive an exclusive welcome offer of $ 600 in Binance (Complete details).
Limited offer for Cryptopotate readers at Bybit: Use this link to register and open a free $ 500 position in any currency!