Malicious Code Found in Popular NPM Packages — A Supply Chain Attack Targets Crypto

A major NPM supply chain attack has been uncovered, compromising foundational JavaScript libraries with a crypto-stealing malware. Developers worldwide are urged to take immediate action.

A severe supply chain attack has shaken the JavaScript ecosystem after investigators uncovered malicious code in multiple popular NPM packages. The compromised libraries are tied to the well-known open-source developer qix, whose NPM account appears to have been hijacked.

The targeted packages — including strip-ansi, color-convert, color-name, error-ex, has-ansi, and is-core-module — are deeply embedded in dependency trees across nearly every modern web project, framework, and CLI tool. Collectively, these utilities record hundreds of millions of weekly downloads, turning the attack into one of the most consequential in recent memory.

What the Malware Does

The injected code is a crypto-clipper, a type of malware engineered to hijack cryptocurrency transactions. It works by:

• Intercepting wallet connections (e.g., MetaMask, Phantom) via the window.ethereum object.
• Replacing legitimate wallet addresses with attacker-controlled ones using Levenshtein distance for visual similarity.
• Actively altering transaction data during signing, tricking users into sending funds to the attacker.

The malicious payload was heavily obfuscated, but researchers discovered function names like checkethereumw, indicating direct targeting of blockchain environments.

How It Was Discovered

The attack was first flagged after a cryptic build failure in a developer’s CI pipeline returned the error: ReferenceError: fetch is not defined. Investigation revealed that a patched version of error-ex (1.3.3) contained hidden malware, unlike its clean predecessor (1.3.2).

This discovery led to a broader probe, exposing a coordinated campaign against multiple packages where qix had publishing rights.

Why It Matters

These libraries may not be household names like React or Express, but they are fundamental dependencies. For example, error-ex alone logs 47 million downloads per week. A short-lived compromise was enough to weaponize global projects that unknowingly integrated the infected code.

Immediate Protection Steps for Developers

Experts recommend urgent measures:

1. Use npm ci instead of npm install in build pipelines to prevent unintended upgrades.
2. Pin vulnerable dependencies with the overrides feature in package.json to lock safe versions.
3. Audit dependencies regularly with tools like npm audit, Snyk, or Dependabot.
4. Scrutinize package-lock.json changes as carefully as application code.

This event underscores the fragility of the open-source supply chain, where even a minor package can become a weapon if compromised. With cryptocurrency integration across countless apps, the stakes have never been higher.

Stay alert — a simple unnoticed version bump could expose your users and funds.

Our creator. creates amazing NFT collections! 
Support the editors - Bitcoin_Man (ETH) / Bitcoin_Man (TON)

Pi Network (Guide)is a new digital currency developed by Stanford PhDs with over 55 million participants worldwide. To get your Pi, follow this link https://minepi.com/Tsybko and use my username (Tsybko) as the invite code.

Binance: Use this link to sign up and get $100 free and 10% off your first months Binance Futures fees (Terms and Conditions).

Bitget: Use this link Use the Rewards Center and win up to 5027 USDT!(Review)

Bybit: Use this link (all possible discounts on commissions and bonuses up to $30,030 included) If you register through the application, then at the time of registration simply enter in the reference: WB8XZ4 - (manual)