npm Supply Chain Attack Wave: What Happened? How to Mitigate Risk?

Original Article Title: "Supply Chain Attack Goes Viral Overnight: What Happened? How to Mitigate Risk?"

Original Article Author: Azuma, Odaily Planet Daily

On September 9th, 东八区, Ledger's Chief Technology Officer Charles Guillemet posted a warning on X, stating: "A large-scale supply chain attack is currently underway, with a well-known developer's NPM account being compromised. The affected software package has been downloaded over 1 billion times, indicating that the entire JavaScript ecosystem may be at risk."

Guillemet further explained: "The malicious code works by silently modifying cryptocurrency addresses in the background to steal funds. If you use a hardware wallet, carefully verify each signature transaction, and you are secure. If you do not use a hardware wallet, please temporarily avoid any on-chain transactions. It is currently unclear whether the attacker has already stolen the mnemonic phrase of software wallets."

What Happened?

According to the security report cited by Guillemet, the direct cause of this incident was: the NPM account of the well-known developer @qix was compromised, leading to the release of malicious versions of dozens of software packages, including chalk, strip-ansi, and color-convert. The malicious code may have spread to end-users when developers or users automatically installed dependencies.

Odaily Note: Weekly download volume data of compromised software packages.

In short, this is a classic case of a supply chain attack—whereby an attacker implants malicious code (such as an NPM package) in a development tool or dependency system to carry out malicious activities. NPM, short for Node Package Manager, is the most widely used package management tool in the JavaScript/Node.js ecosystem. Its main functions include dependency management, package installation and updates, code sharing, and so on.

Due to the immense scale of the NPM ecosystem, which currently consists of millions of software packages, nearly all Web3 projects, crypto wallets, and frontend tools rely on NPM—this is precisely why NPM's extensive dependencies and complex chain of links make it a high-risk entry point for supply chain attacks. By implanting malicious code in a commonly used software package, attackers can potentially impact thousands of applications and users.

As shown in the malicious code propagation flowchart above:

· A certain project (blue box) directly depends on some common open-source libraries, such as express.

· These direct dependencies (green boxes) then depend on other indirect dependencies (yellow boxes, such as lodash).

· If an indirect dependency is secretly injected with malicious code by an attacker (red box), it will propagate along the dependency chain into that project.

What Does This Mean for Cryptocurrency?

The direct relevance of this security incident to the cryptocurrency industry is that the malicious code implanted by the hacker into the aforementioned compromised software package is a sophisticated "cryptocurrency clipboard hijacker" that steals cryptocurrency assets by replacing wallet addresses and hijacking transactions.

Stress Capital founder GE (@GuarEmperor) elaborated on this in X, stating that the hacker's "clipboard hijacker" injection adopts two attack modes—passively using the Levenshtein distance algorithm to replace wallet addresses, which are visually similar and thus extremely difficult to detect; actively tampering with the target address in the browser's detected cryptocurrency wallet before the user signs the transaction.

Since this attack targeted the foundational layer libraries of JavaScript projects, even projects indirectly dependent on these libraries may be affected.

How Does the Hacker Profit?

The malicious code implanted by the hacker also disclosed their attack addresses. The hacker's primary attack address on Ethereum is 0xFc4a4858bafef54D1b1d7697bfb5c52F4c166976, with funds mainly coming from the following three addresses:

· 0xa29eEfB3f21Dc8FA8bce065Db4f4354AA683c0240

· x40C351B989113646bc4e9Dfe66AE66D24fE6Da7B

· 0x30F895a2C66030795131FB66CBaD6a1f91461731

The Arkham team has created a tracking page for this attack event, where you can query real-time information about the hacker's gains and transfers.

At the time of writing, the hacker attack has only yielded $496, but considering the yet-to-be-determined spread of the malicious code, it is expected that this figure may continue to rise—the developer has been notified and is actively collaborating with the NPM security team to address the issue. The malicious code has been removed from most of the affected packages, so the situation is under control.

How to Mitigate the Risk?

Defillama founder @0xngmi stated that, as of X, while this event may sound dangerous, the actual impact is not as widespread—as this event only affects websites that have pushed updates since the compromised NPM software package was released, other projects will continue to use the old version; and most projects will lock in their dependencies, so even if they push updates, they will still use the old secure code.

However, because end users cannot truly know if a project has locked in dependencies or if they have some dynamically downloaded dependencies, it is currently essential for the project to come forward for self-inspection and disclosure.

As of the time of writing, several wallet or app-side projects, including MetaMask, Phantom, Aave, Fluid, Jupiter, have all disclosed that they are not affected by this event. Therefore, theoretically, users can confidently use wallets that have been confirmed safe to securely access protocols that have been confirmed safe. However, for wallets or projects that have not yet undergone security disclosure, temporarily avoiding their use may be a safer approach.