Original | Odaily Planet Daily (@OdailyChina)
Author | Azuma (@azuma_eth)
On September 9, Beijing time, Ledger's Chief Technology Officer Charles Guillemet posted a warning on X stating: "A large-scale supply chain attack is currently underway, with a well-known developer's NPM account being compromised. The affected software packages have been downloaded over 1 billion times, which means the entire JavaScript ecosystem may be at risk."
Guillemet added: "The malicious code works by silently altering cryptocurrency addresses in the background to steal funds. If you are using a hardware wallet, please carefully verify each signed transaction, and you are safe. If you are not using a hardware wallet, please temporarily avoid any on-chain transactions. It is currently unclear whether the attackers have directly stolen the mnemonic phrases of software wallets."
What happened?
According to the security report cited by Guillemet, the direct cause of this incident is: the NPM account of well-known developer @qix was compromised, leading to the release of malicious versions of dozens of software packages, including chalk, strip-ansi, and color-convert. The malicious code may have spread to terminals when developers or users automatically installed dependencies.
Odaily Note: Weekly download data of the compromised software packages.
In short, this is a classic case of supply chain attack — that is, attackers implant malicious code (such as NPM packages) into development tools or dependency systems to do harm. NPM, short for Node Package Manager, is the most commonly used package management tool in the JavaScript/Node.js ecosystem, primarily used for managing dependencies, installing and updating packages, sharing code, and more.
The scale of the NPM ecosystem is enormous, with millions of packages available. Almost all Web3 projects, cryptocurrency wallets, and front-end tools rely on NPM — and because of the vast number of NPM dependencies and the complexity of the links, it is a high-risk entry point for supply chain attacks. As long as attackers implant malicious code into a commonly used package, it can potentially affect thousands of applications and users.
As shown in the flowchart of the malicious code spread:
- A certain project (blue box) will directly depend on some common open-source libraries, such as express.
- These direct dependencies (green box) will also depend on other indirect dependencies (yellow box, such as lodash).
- If an indirect dependency is secretly implanted with malicious code by an attacker (red box), it will enter the project along the dependency chain.
What does this mean for cryptocurrency?
The direct relationship of this security incident with the cryptocurrency industry is that the malicious code implanted by hackers in the aforementioned contaminated software packages is a sophisticated "cryptocurrency clipboard hijacker," which steals crypto assets by replacing wallet addresses and hijacking transactions.
Stress Capital founder GE (@GuarEmperor) provided a more detailed explanation on X, stating that the "clipboard hijacker" injected by hackers employs two attack modes — in passive mode, it uses the "Levenshtein distance algorithm" to replace wallet addresses, which is visually similar and therefore very difficult to detect; in active mode, it detects cryptocurrency wallets in the browser and alters the target address before the user signs the transaction.
Since this attack targets the foundational libraries of JavaScript projects, it means that even projects that indirectly depend on these libraries may be affected.
How are hackers profiting?
The malicious code implanted by hackers also disclosed their attack addresses, with the main attack address on Ethereum being 0xFc4a4858bafef54D1b1d7697bfb5c52F4c166976, and the funds mainly coming from the following three addresses:
- 0xa29eEfB3f21Dc8FA8bce065Db4f4354AA683c0240
- x40C351B989113646bc4e9Dfe66AE66D24fE6Da7B
- 0x30F895a2C66030795131FB66CBaD6a1f91461731
Arkham has created a tracking page for this attack incident, where real-time queries can be made regarding the hackers' profits and transfer situations.
As of the publication, the hackers have only profited $496 from the attack, but considering that the extent of the spread of the malicious code has not yet been determined, this figure is expected to continue to rise — the developer has been notified and is actively cooperating with the NPM security team to resolve the issue, and the malicious code has now been removed from most affected software packages, so the situation is being brought under control.
How to mitigate risks?
Defillama founder @0xngmi stated on X that although this incident sounds dangerous, the actual impact is not as exaggerated — because this incident will only affect websites that have pushed updates since the compromised NPM software packages were released, while other projects will continue to use older versions; and most projects will fix their dependencies, so even if they push updates, they will still use the old secure code.
However, since users cannot truly know whether a project has fixed its dependencies or if they have some dynamically downloaded dependencies, it is currently necessary for project parties to conduct self-inspections and disclose their findings.
As of the publication, multiple wallet or application projects, including MetaMask, Phantom, Aave, Fluid, and Jupiter, have disclosed that they are not affected by this incident. Therefore, theoretically, users can safely use confirmed secure wallets to access confirmed secure protocols, but for other wallets or projects that have not yet made security disclosures, temporarily avoiding use may be a safer approach.
免责声明:本文章仅代表作者个人观点,不代表本平台的立场和观点。本文章仅供信息分享,不构成对任何人的任何投资建议。用户与作者之间的任何争议,与本平台无关。如网页中刊载的文章或图片涉及侵权,请提供相关的权利证明和身份证明发送邮件到support@aicoin.com,本平台相关工作人员将会进行核查。
