Hackers infiltrate NPM libraries targeting Ethereum and Solana wallets
A massive supply chain attack shook the crypto industry after hackers compromised the Node Package Manager (NPM) account of a well-known software developer. Malicious code was injected into popular JavaScript libraries downloaded over a billion times, raising fears of widespread wallet theft.
Despite the scale, crypto intelligence platform Security Alliance (SEAL) reported that hackers only managed to steal less than $50 worth of cryptocurrency. Ethereum and Solana wallets were the primary targets.
Only one malicious address identified so far
SEAL identified Ethereum address 0xFc4a48 as the only confirmed malicious wallet linked to the attack. In a post on X, the group explained:
“Imagine compromising an NPM developer with packages downloaded two billion times per week. You’d expect millions in stolen funds. Instead, the profit was under $50.”
Samczsun, a pseudonymous SEAL researcher, compared the incident to “finding the keycard to Fort Knox and using it as a bookmark,” noting that the malware has already been nearly neutralized.
ETH and memecoins among stolen funds
The first theft amounted to just five cents in Ether, which later grew to nearly $50 after attackers siphoned off small amounts of tokens. Etherscan data shows the malicious address has received Brett (BRETT), Andy (ANDY), Dork Lord (DORK), Ethervista (VISTA), and Gondola (GONDOLA) memecoins.
How the NPM attack spread
The breach targeted small utility packages such as chalk, strip-ansi, and color-convert. These dependencies are buried deep within countless JavaScript projects, meaning even developers who never directly installed them could be at risk.
The attackers used a crypto-clipper malware, which swaps out wallet addresses during transactions to divert funds.
Charles Guillemet, CTO of Ledger, warned users to be extra cautious when confirming on-chain transactions, reminding that hidden supply chain vulnerabilities can compromise wallets.
Major crypto platforms unaffected
Crypto wallet providers including Ledger and MetaMask confirmed their platforms are safe, citing multiple layers of defense. Phantom Wallet and Uniswap also stated they are unaffected by the compromised packages. Other platforms like Aerodrome, Blast, Blockstream Jade, and Revoke.cash have confirmed the same.
Risk remains for recently updated projects
0xngmi, founder of DefiLlama, clarified that only projects updated after the malware-infected NPM packages were published may face risks. Even then, users would need to approve malicious transactions before any funds could be stolen.
Still, both Guillemet and 0xngmi advised caution, suggesting users avoid interacting with crypto sites until developers fully remove the compromised dependencies.
