The NPM (node packet manager) account of developer ‘qix’ was compromised, allowing hackers to publish malicious versions of his 0 attackers published malicious versions of dozens of extremely popular JavaScript packages, including fundamental 1 hack was massive in scope since the affected packages have over 1 billion combined weekly 2 attack on the software supply chain specifically targets the JavaScript/Node. js 3 Supply Chain Attack Popular dev qix fell victim to 4 code injected into npm packages now hijacks crypto transactions at 5 method: • Hooks wallet functions (request/send) • Swaps recipient addresses in ETH/SOL transactions • Replaces… 6 — Scam Sniffer | Web3 Anti-Scam (@realScamSniffer) September 8, 2025 Crypto Clipper Malware The malicious code was a “crypto-clipper” designed to steal cryptocurrency by swapping wallet addresses in network requests and hijacking crypto transactions 7 was also heavily obfuscated to avoid 8 crypto-stealing malware has two attack 9 no crypto wallet extension is found, the malware intercepts all network traffic by replacing the browser’s native fetch and HTTP request functions with extensive lists of attacker-owned wallet 10 sophisticated address swapping, it employs algorithms to find replacement addresses that look visually similar to legitimate ones, making the fraud nearly impossible to spot with the naked eye, said cybersecurity 11 a crypto wallet is found, the malware intercepts transactions before signing, and when users initiate transactions, it modifies them in memory to redirect funds to attacker 12 attack targeted packages such as ‘chalk,’ ‘strip-ansi,’ ‘color-convert,’ and ‘color-name,’ which are core building blocks buried deep in the dependency trees of countless 13 attack was discovered accidentally when a build pipeline failed with a “fetch is not defined” error as the malware attempted to exfiltrate data using the fetch function.
“If you use a hardware wallet, pay attention to every transaction before signing, and you’re 14 you don’t use a hardware wallet, refrain from making any on-chain transactions for now,” advised Ledger CEO Charles 15 of the current npm hack In any website that uses this hacked dependency, it gives a chance to the hacker to inject malicious code, so for example when you click a “swap” button on a website, the code might replace the tx sent to your wallet with a tx sending money to… — 0xngmi (@0xngmi) September 8, 2025 Broad Attack Vector While the malware’s payload specifically targets cryptocurrency, the attack vector is much 16 affects any environment running JavaScript/Node.
js applications, such as web applications running in browsers, desktop applications, server-side 17 applications, and mobile apps using JavaScript 18 a regular business web application could unknowingly include these malicious packages, but the malware would only activate when users interact with cryptocurrency on that 19 and Blockstream were among the first to reassure users that their systems were not at 20 the reports of the NPM supply chain attack: Uniswap apps are not at risk Our team has confirmed that we do not use any vulnerable versions of the affected packages As always, be vigilant — Uniswap Labs (@Uniswap) September 8, 2025
Story Tags
Latest news and analysis from Crypto Potato
