Written by: Azuma, Odaily Planet Daily
On September 9, Beijing time, Ledger's Chief Technology Officer Charles Guillemet issued a warning on X, stating: "A large-scale supply chain attack is currently underway, with a well-known developer's NPM account being compromised. The affected software packages have been downloaded over 1 billion times, which means the entire JavaScript ecosystem may be at risk."
Guillemet further stated: "The malicious code works by silently altering cryptocurrency addresses in the background to steal funds. If you are using a hardware wallet, please carefully verify each signed transaction, and you are safe. If you are not using a hardware wallet, please temporarily avoid any on-chain transactions. It is currently unclear whether the attackers have directly stolen the mnemonic phrases of software wallets."
What Happened?
According to the security report cited by Guillemet, the direct cause of this incident was the compromise of the NPM account of well-known developer @qix, leading to the release of malicious versions of dozens of software packages, including chalk, strip-ansi, and color-convert. The malicious code may have spread to terminals when developers or users automatically installed dependencies.
Odaily Note: Weekly download data of the compromised software packages.
In short, this is a classic case of a supply chain attack—where attackers embed malicious code (such as NPM packages) in development tools or dependency systems to cause harm. NPM, short for Node Package Manager, is the most commonly used package management tool in the JavaScript/Node.js ecosystem, primarily used for managing dependencies, installing and updating packages, sharing code, and more.
The scale of the NPM ecosystem is enormous, with millions of packages available. Almost all Web3 projects, cryptocurrency wallets, and front-end tools rely on NPM—this vast number of dependencies and complex links make it a high-risk entry point for supply chain attacks. If an attacker embeds malicious code in a commonly used package, it can potentially affect thousands of applications and users.
As shown in the flowchart of the malicious code spread:
- A certain project (blue box) directly depends on some common open-source libraries, such as express.
- These direct dependencies (green box) may depend on other indirect dependencies (yellow box, such as lodash).
- If an indirect dependency is secretly implanted with malicious code by an attacker (red box), it will enter the project through the dependency chain.
What Does This Mean for Cryptocurrency?
The direct relationship of this security incident with the cryptocurrency industry is that the malicious code injected by hackers into the aforementioned contaminated software packages is a sophisticated "cryptocurrency clipboard hijacker," which steals crypto assets by replacing wallet addresses and hijacking transactions.
GE (@GuarEmperor), founder of Stress Capital, provided a more detailed explanation on X, stating that the "clipboard hijacker" injected by hackers employs two attack modes—passive mode uses the "Levenshtein distance algorithm" to replace wallet addresses, making it visually similar and thus very difficult to detect; active mode detects cryptocurrency wallets in the browser and alters the target address before the user signs the transaction.
Since this attack targets the foundational libraries of JavaScript projects, it means that even projects that indirectly depend on these libraries may be affected.
How Much Have the Hackers Profited?
The malicious code implanted by the hackers also revealed their attack addresses. The main attack address on Ethereum is 0xFc4a4858bafef54D1b1d7697bfb5c52F4c166976, with funds primarily coming from the following three addresses:
0xa29eEfB3f21Dc8FA8bce065Db4f4354AA683c0240
0x40C351B989113646bc4e9Dfe66AE66D24fE6Da7B
0x30F895a2C66030795131FB66CBaD6a1f91461731
Arkham has created a tracking page for this attack, where the hacker's profit and transfer status can be queried in real-time.
As of the publication, the hacker has only profited $496 from the attack, but considering that the extent of the spread of the malicious code has not yet been determined, this figure is expected to continue to rise— the developer has been notified and is actively cooperating with the NPM security team to resolve the issue. The malicious code has now been removed from most affected packages, so the situation is under control.
How to Mitigate Risks?
Defillama founder @0xngmi stated on X that although this incident sounds dangerous, the actual impact is not as exaggerated—because this incident will only affect websites that have pushed updates since the compromised NPM packages were released; other projects will continue to use older versions. Most projects also fix their dependencies, so even if they push updates, they will still use the old secure code.
However, since users cannot truly know whether a project has fixed its dependencies or if they have some dynamically downloaded dependencies, it is currently necessary for project parties to conduct self-checks and disclose their findings.
As of the publication, multiple wallet or application projects, including MetaMask, Phantom, Aave, Fluid, and Jupiter, have disclosed that they are not affected by this incident. Therefore, theoretically, users can safely use confirmed secure wallets to access confirmed secure protocols, but for other wallets or projects that have not yet made security disclosures, temporarily avoiding use may be a safer approach.
免责声明:本文章仅代表作者个人观点,不代表本平台的立场和观点。本文章仅供信息分享,不构成对任何人的任何投资建议。用户与作者之间的任何争议,与本平台无关。如网页中刊载的文章或图片涉及侵权,请提供相关的权利证明和身份证明发送邮件到support@aicoin.com,本平台相关工作人员将会进行核查。
