A new cyberattack is silently pointing to user cryptography during transactions in the middle of an incident that security researchers describe as the greatest attack of the history supply chain.
Bleepingcomputer reported that computer pirates picked NPM package maintenance accounts through phishing electronic and injected malware that steals cryptography.
The attack directed JavaScript developers with fraudulent emails that seem to originate “[email protected]”, An imanized domain that mimics the legitimate registration of NPM.
Phishing messages warned of maintainers that their accounts would be blocked on September 10, unless they update their two factors’ authentication credentials through a malicious link.
The attackers successfully compromised 18 Javascript packages widely used with collective weekly downloads greater than 2.6 billion.
Committed libraries include fundamental development tools such as “chalk” (300 million weekly discharges), “purification” (358 million) and “ANSI-STYLES” (371 million), affecting practically the entire JavaScript ecosystem.
Directed to crypto
The malicious code works as an interceptor based on the browser, monitoring network traffic for cryptographic transactions in Ethereum, Bitcoin, Solana, Tron, Litecoin and Bitcoin cash networks.
When users begin cryptographic transfers, malware silently replaces the addresses of the destination wallet with attacker -controlled accounts before the signature of the transaction.
Aikido Charlie Eriksen security researcher explained:
The cryptographic investor plan: A 5 -day course on Bagholding, internal internal and missing alpha
“What makes it dangerous is that it works in multiple layers: altering the content shown on the websites, altering API calls and manipulating what user applications believe they are signing.”
Ledger Cto Charles Guillemet warned cryptographic users about the ongoing threat, noting that the Javascript ecosystem can be compromised given the massive discharge figures.
Hardware wallet users retain protection if they verify the details of the transaction before signing, while software wallet users face greater risk. Guillemet advised:
“If you don’t wear a hardware wallet, refrain from making chain transactions for now.”
He also pointed out uncertainty about whether attackers can directly extract seed phrases from software wallets.
Sophisticated orientation
The attack represents a sophisticated directed supply chain where criminals compromise reliable development infrastructure to reach end users.
When infiltrating the packets downloaded billions of times weekly, the attackers obtained unprecedented access to cryptocurrency applications and wallet interfaces.
Bleepingcomputer identified the phishing infrastructure exfrastructure credentials to “Websockt-Api2.publicvm.com”, which demonstrates the coordinated nature of the operation.
This incident follows similar commitments of the JavaScript library throughout 2025, including July’s attack in “Eslint-Config-Prettier”, which had 30 million weekly discharges and March commitments that affect ten popular NPM libraries.
