- Experts say a prominent developer was phished.
- The attack requires user interaction to succeed.
- Still, cybersecurity experts advise against making any transactions.
Hackers have poisoned popular JavaScript packages with crypto-stealing malware, potentially threatening millions of developers and users worldwide.
The large-scale attack targeted a prominent developer’s account after tricking them with fake emails — a technique known as phishing — to then inject malicious code into packages that get downloaded over one billion times per week.
The malware silently replaces wallet addresses when users try to send funds, instead redirecting the money to wallets controlled by the attackers.
Security experts discovered the attack when routine software builds started failing unexpectedly. They’re now urging everyone to avoid making crypto transactions until the infected packages are removed.
“If you use a hardware wallet, pay attention to every transaction before signing and you’re safe,” Charles Guillemet, chief technology officer at hardware wallet provider Ledger, wrote on X.
“If you don’t use a hardware wallet, refrain from making any on-chain transactions for now.”
Every blockchain
Nobody is safe right now, experts say.
That’s because the attack monitors all network traffic for wallet addresses across most major blockchains — including Bitcoin, Ethereum, Solana, Tron, Litecoin, and Bitcoin Cash.
But that’s not the worst of it.
The malware has a particularly nasty way of avoiding detection: when a hardware wallet connects, the code automatically disables its address-swapping function to avoid triggering security alerts.
1 billion downloads
The sheer scale of those who might be affected also makes the attack potentially devastating.
The affected packages collectively receive over one billion downloads per week, meaning the malicious code could already be embedded in countless apps.
“JavaScript is arguably the most popular programming language for modern projects, and crypto is not different,” Tal Be’ery, chief technology officer at hardware wallet firm ZenGo, told DL News.
Moreso, said Be’ery, because websites are the target of this attack and “they are definitely using JavaScript.”
But the fact that the code attacks websites might mean the risk may be more limited than initially feared.
“This will only impact websites that pushed an update since the hacked npm package was published, as other projects will have the old version,” explained 0xngmi, developer of DefiLlama, DL News’ sister organisation.
“Most projects pin their dependencies, so even if they push an update they’ll keep using the old safe code.”
Pedro Solimano is DL News’ Buenos Aires-based markets correspondent. Got at a tip? Email him atpsolimano@dlnews.com.