Largest NPM Attack in Crypto History Stole Less Than $50
Recently, a massive supply chain hack affected JavaScript software libraries, targeting crypto wallets. The attack was carried out by hackers who broke into the node package manager (NPM) account of a well-known software developer and added malware to popular JavaScript libraries that have already been downloaded over 1 billion times.
Ethereum and Solana wallets were specifically targeted by the malicious code, which has put countless crypto projects at risk. However, thanks to swift action from security researchers, less than $50 worth of crypto has been stolen so far, according to crypto intelligence platform Security Alliance.
The malicious address, identified as "0xFc4a48," has received a small amount of crypto, including five cents in Ether (ETH) and $20 worth of a memecoin. Despite the initial theft, security experts say that the malware is nearly completely neutralized, and the potential damage may still be unfolding.
Security Alliance shared the findings on Monday, stating that the hacker "didn't fully capitalize on the amount of access they had." The group compared the situation to finding the keycard to Fort Knox and using it as a bookmark. "The malware was widespread but at this point is nearly completely neutralized," said pseudonymous SEAL security researcher Samczsun.
The affected packages, such as chalk, strip-ansi, and color-convert, are small utilities buried deep in the dependency trees of countless projects. Even developers who never installed them directly could be exposed to the malicious code.
NPM is like an app store for developers – a central library where they share and download small code packages to build JavaScript projects. The attackers appear to have planted a crypto-clipper, a type of malware that silently replaces wallet addresses during transactions to divert funds.
Crypto Wallet Providers React
Several major crypto wallet providers have marked their platforms as safe from the NPM attack, including Ledger and MetaMask. The team behind Phantom Wallet stated that it doesn't use any vulnerable versions of the affected packages, while Uniswap noted that none of its apps are at risk.
Aerodrome, Blast, Blockstream Jade, and Revoke.cash were among the other crypto platforms that said they were unaffected by the supply chain attack. However, 0xngmi, the pseudonymous founder of crypto analytics platform DefiLlama, warned that only crypto projects that updated after the malicious NPM package was published may be at risk.
"Even then, users must approve the malicious transaction for it to work," said 0xngmi. He also suggested that it may be safer to avoid using crypto websites until developers behind those platforms clean up the bad packages.