- Hackers poisoned JavaScript packages with crypto-stealing malware.
- The large scale attack exposes a DeFi weak point.
- The attackers have only stolen a minimal amount so far.
A version of this article appeared in our The Decentralised newsletter on September 9. Sign up here.
GM, Tim here.
DeFi is reeling from a supply chain attack that targeted crypto wallets.
On Monday it was revealed that hackers have poisoned JavaScript packages with crypto-stealing malware. Those packages were collectively downloaded more than 2.6 billion times last week, potentially threatening millions of users worldwide.
Now, DeFi protocols and wallet providers are scrambling to reassure users that they’re not at risk.
The incident highlights how much of DeFi’s $204 billion ecosystem is vulnerable to an unexpected point of failure — an Achilles heel, if you will.
It comes as cybercriminals have stolen $2.2 billion from crypto protocols this year, a 77% uptick from the total amount stolen throughout 2024, according to DefiLlama.
Blockchain developers go to great lengths to ensure their networks are truly decentralised and distributed. After all, much of the value of blockchain technology comes from its resilience to single points of failure that are the bane of more centralised systems.
Yet the years of honing decentralised systems were made largely irrelevant when the developer who maintains over a dozen popular JavaScript packages, which most of DeFi relies on, fell victim to a phishing hack.
To be sure, the compromises didn’t cause any critical failures. But it certainly gave users a scare and slowed things down temporarily.
The hackers updated the JavaScript packages after taking control, injecting malicious code able to hijack network traffic. The goal was to wait for users to send crypto transactions and then use the code to redirect funds to the hacker’s wallet, according to an analysis by Aikido Security.
It’s similar to how North Korean hackers targeted Bybit in February, stealing $1.4 billion from the crypto exchange.
Like the Bybit hack, the malicious code only impacts individuals accessing the compromised applications over the web. So as long as users don’t send any transactions until they get the all clear from DeFi protocols and wallet providers, they’re not at risk.
Despite the hack being potentially the largest supply chain attack in history, the attackers have only stolen a minimal amount so far.
An Ethereum address believed to belong to the hackers has only received around $500 worth of crypto so far, according to Arkham Intelligence.
“The biggest financial impact of this entire incident will be the collective thousands of hours spent by engineering and security teams around the world working to clean compromised environments,” Security Alliance, a crypto security nonprofit, said in a blog post.
Still, it’s a stark reminder that the game theory and decentralisation that blockchain developers value so highly can all be for naught if there are other points of failure outside of their purview.
Top DeFi stories of the week
This week in DeFi governance
VOTE: ENS votes to adopt Security Alliance’s Safe Harbor Agreement
PROPOSAL: Gauntlet proposes to renew its partnership with Compound for another year
VOTE: Lisk DAO votes to deploy LSK to Base and deploy liquidity to Aerodrome using Arrakis
Post of the week
Crypto Twitter is upset to find out that half of Coinbase’s code is written using AI — something they see as a potential security risk.
The exchange was recently subject to an incident that saw hackers compromise almost 70,000 users’ data.
Brian Armstrong after leaking all our personal information to scammers - “we’re proud to announce 50% of our code base is AI Vibe Coded”
— moon (@MoonOverlord) September 4, 2025
everyone on CT - pic.twitter.com/6S0F770kzM
Tim Craig is DL News’ Edinburgh-based DeFi Correspondent. Reach out with tips at tim@dlnews.com.
