A security alert for users and developers: An NPM supply chain attack is targeting users through compromised JavaScript libraries to steal their crypto.
On-chain developers warn against a recent NPM breach, which puts cryptocurrencies and other digital assets at risk. The attackers seized 18 popular packages, such as chalk and debug, and pushed malicious releases on GitHub. Those dependencies are responsible for powering many apps, and the ecosystem records have over two billion weekly downloads. The malicious downloads in billions must have infected tainted versions from the registry, creating a backdoor.
The payload watched transaction flows inside browsers and replaced recipient addresses with the attacker’s wallet. In case of any transaction, the sent digital assets would land in the hackers’ addresses instead of the recipient addresses. As a response, the developers warned their communities, wallets like MetaMask warned against making any transactions, and crypto exchanges like Binance have halted their withdrawals for several funds.
How NPM Supply-Chain Attack Works
The sequence begins with a precise trick that looks routine yet presses on trust. Emails that pretend to be an NPM two-factor update reach maintainer Qix, and the message asks for an urgent verification that requires credentials. Qix signs in through the fake page, the attacker collects the token, and publishes the rights shift in minutes.
At 13:16 UTC, infected releases hit the registry, and built systems across the world started to pull them because the versions looked legitimate and the changelogs appeared normal. The malicious code was inside those popular packages, resting there, waiting for front end code to run in a user’s browser, where it could hook network requests used by wallets such as MetaMask.
The hook inspects outgoing transactions. In these infected JavaScript Libraries, this hook replaced all destination addresses with the attacker’s wallet: 0xFc4a4858bafef54D1b1d7697bfb5c52F4c166976
The hack has infected Ethereum, Bitcoin, Solana, and Tron, so any dapp that loads the compromised bundles may expose users who sign during that window. As reports spread, developers are scanning lockfiles and halting deploys, yet the clock is still moving because caches are warm and CDNs serve prior artifacts. As reported by Arkham Intelligence, the wallets associated with the hackers have stolen a ridiculously low amount of $66, yet the penetration is alarming.
Security firms reported it swiftly as Aikido and JFrog raised alerts within hours, however, some builds stayed exposed through cached assets and deploys as of September 10, 2025. NPM removed the infectious releases and broadcast notices.
Project like Venus Protocol and Yoroi Wallet quickly ran audits and reported no impact, however, the model of attack still threatens software wallets, browser extensions, and exchanges that load front-end bundles from compromised dependency trees.
This risk is unique because a trusted package flips into a delivery channel for wallet interception, and the change propagates at machine speed through CI systems, CDNs, and transitive dependencies that few teams review line by line, which is concerning for many, especially the open source systems. The FUD has not affected the crypto market in any way, and even the Bitcoin price appreciated in the following hours.
Users who never installed the malicious versions, or who rebuilt with clean locks before signing transactions, remain safe. However, those who pulled the bad versions after 13:16 UTC on September 8, then used dApps that touched MetaMask or similar wallets during that window, do not fall in the safe group even if their own code looked clean. It is advised to act now. Verify exact package versions in your lockfiles, rebuild from a clean cache, redeploy known-good artifacts, and rotate NPM tokens.
This should be a wake up call for the open source ecosystems, pushing for stronger authentication and dependency audits to prevent future disasters. As blockchain becomes more mainstream, such incidents may not cause it to be financially affected, but they affect the trust of a trustless system.
