A massive supply chain attack compromised 18 highly popular npm packages, which collectively received two billion weekly downloads, deploying sophisticated browser-based malware designed to steal cryptocurrency and web3 transactions from unsuspecting developers and end-users, and silently redirecting funds to attacker-controlled accounts, according to security firm Aikido.
The attack began on September 8, when Aikido’s threat intelligence systems detected malicious code being pushed to npm packages, including chalk (299.99 million weekly downloads), debug (357.6 million downloads), and ansi-styles (371.41 million downloads).
The compromised packages contained obfuscated code that “silently intercepts crypto and web3 activity in the browser, manipulates wallet interactions, and rewrites payment destinations so that funds and approvals are redirected to attacker-controlled accounts without any obvious signs to the user,” Aikido researchers said in a blog post.
“Our analysis strongly indicated this was orchestrated by a single threat actor group,” Charlie Eriksen, lead malware researcher at Aikido told CSO Online. “What was striking was their relatively unsophisticated approach – they were using off-the-shelf obfuscation tools and their execution suggested operational carelessness. Frankly, if they really wanted to maximize the impact of compromising packages with 2 billion weekly downloads, they left quite a lot of opportunities on the table.”
The attack represented the latest in a series of npm supply chain attacks that targeted enterprise developers in recent weeks. In late August, security firm Wiz reported a separate AI-powered campaign that compromised the Nx build system and exposed thousands of developer credentials, while JFrog discovered eight additional malicious React packages using multi-layer obfuscation techniques.
Phishing campaign exploited npm trust model
The attack originated from a sophisticated phishing campaign that exploited the fundamental trust relationships within the npm ecosystem. Threat actors registered the typosquatted domain npmjs.help on September 5, just three days before launching their campaign, and used it to impersonate legitimate npm administrative communications.
“The maintainer shared that he was compromised by the use of phishing, using this email coming from support [at] npmjs [dot] help,” the blog post said. The domain was designed to closely mimic the legitimate npmjs.org domain, with attackers sending emails that appeared to come from official npm support channels.
The scale of the compromise became apparent as Aikido’s threat intelligence systems tracked the systematic updating of multiple high-profile packages.
“The above packages all started having new versions released,” researchers noted in the blog post, with each update containing hidden malicious payloads. One compromised maintainer, after being notified by Aikido, confirmed the breach on social media, stating he was “aware of being compromised, and starting to clean up the compromised packages.”
However, the damage was already significant. “The author appeared to have deleted most of the compromised package before losing access to his account. At the time of writing, the package simple-swizzle was still compromised,” researchers reported, highlighting how attackers maintained persistence even after initial discovery.
At 16:58 UTC on September 8, Aikido detected another compromised package, proto-tinker-wc@0.1.87, “compromised by what appeared to be the same attackers,” confirming the coordinated campaign.
Financial impact surprisingly limited
Despite affecting packages with 2 billion weekly downloads, the actual financial impact was surprisingly modest. “We were tracking approximately $970 in stolen funds to attacker-controlled wallets,” Eriksen said, highlighting a significant disconnect between the attack’s potential reach and its realized damage.
This limited financial impact reflected both the attackers’ operational carelessness and their targeted approach to cryptocurrency transactions, rather than broader data theft or system compromise.
Cryptocurrency exchanges identified as primary targets
The attack’s browser API-level operation revealed critical blind spots in enterprise security monitoring, particularly for organizations handling cryptocurrency transactions. “The biggest risk so far would be for crypto exchanges, if they were compromised,” Eriksen said. “The malware was designed to be run on trading/exchange portals, intercepting whenever a user would attempt to make a crypto transfer.”
This targeting strategy reflected the attackers’ specific focus on financial gain rather than broader system compromise. “This browser API-level operation completely bypassed traditional file-based detection,” Eriksen explained. “Current enterprise security tools were largely blind to this type of pre-deployment compromise – organizations needed fundamentally different monitoring approaches that scan dependencies before code even entered their environment.”
The malware operated as what Aikido described as “essentially a browser-based interceptor that hijacked both network traffic and application APIs.” The technical implementation demonstrated understanding of web3 applications, with complex logic designed to identify and replace cryptocurrency addresses across multiple blockchain networks, recognizing address formats for Ethereum, Bitcoin, Solana, Tron, Litecoin, and Bitcoin Cash.
Despite the massive potential for damage, the enterprise community “got lucky this time that the attackers were very specific in their goals, and didn’t do more damage,” Eriksen said.
Expert calls for systematic npm security reforms
The attack highlighted fundamental vulnerabilities in the npm ecosystem’s trust model. “These recent attacks highlighted the need for better attestation and provenance,” Eriksen said. “The fact that a simple phishing email was enough to compromise SUCH important packages, reaching such a significant portion of the JavaScript developer community, was problematic.”
Eriksen advocated for systematic changes to prevent similar compromises. “Popular packages should only be publishable through signed GitHub Actions workflows that require pull request approvals,” he added. “It was about creating a verifiable chain of custody from code commit to package publication.”
Such reforms would address the core vulnerability that enabled this attack – the ability for a single compromised maintainer account to push malicious updates to widely used packages. “Using tools to protect against supply chain attacks in the open-source ecosystem was becoming increasingly important,” Eriksen said.
No Responses