Aikido Security Ltd. has revealed what is now regarded as the largest npm supply-chain attack to date, in which threat actors infiltrated 18 widely used npm packages—such as chalk, debug, and ansi-styles—that collectively account for more than 2.6 billion downloads per week, by phishing maintainers to reset two-factor authentication and push malware-laden versions that hijack cryptocurrency transactions in browsers. For example, injected code intercepts functions like fetch, XMLHttpRequest, and wallet APIs (window.ethereum, Solana, etc.), enabling so-called “crypto-clipper” malware to silently redirect funds. Security experts warn developers to roll back to known safe versions, audit recent updates, and be cautious with crypto interactions.
Sources: BeinCrypto, The Register, SiliconANGLE
Key Takeaways
– Supply-chain attackers leveraged phishing to breach npm maintainers’ 2FA, enabling tampering with high-profile packages downloaded billions of times weekly.
– Malicious code—camouflaged as trusted updates—can hijack crypto transactions in-browser, redirecting funds via wallet API interception.
– Developers must audit their dependencies closely, revert to verified safe versions, and treat crypto-enabled code with enhanced scrutiny.
In-Depth
In a sobering demonstration of how deeply the npm ecosystem is woven into modern software development—and how vulnerable that integration can make us—security researchers with Aikido Security have confirmed a massive supply-chain breach that compromised 18 npm packages downloaded more than 2.6 billion times each week.
The attackers executed a phishing attack that reset two-factor authentication for targeted maintainers, then published poisoned versions of their packages. Key libraries such as chalk, debug, and ansi-styles were rigged with crypto-stealing malware that operates by intercepting browser-level APIs—like fetch, XMLHttpRequest, and wallet interfaces such as MetaMask and Solana—effectively hijacking cryptocurrency transfers without raising suspicion.
Known as a “crypto-clipper” attack, this technique replaces legitimate wallet addresses with attacker-controlled ones, often invisibly to users. While the full scope of theft remains undetermined, experts urge developers to rely only on previously verified package versions, thoroughly audit recent changes, and exercise caution when deploying or using crypto-involved code. The incident serves as yet another wake-up call on the fragility of open-source software supply chains, where even trusted tools may be weaponized when security safeguards—like phishing resistance and deployment validation—fail.
This attack underscores two practical imperatives. First, rigorous supply-chain hygiene is indispensable: Teams should pin dependency versions, monitor integrity signals, and use reproducible builds. Second, for developers handling cryptocurrency or sensitive operations, additional layers of trust—manual code review, wallet confirmation mechanisms, or hardware security modules—should be considered essential, not optional. In today’s environment, reliance on convenience without conservative validation may invite serious consequences.