A major breach involving the Node Package Manager (NPM) platform has affected several widely used JavaScript libraries. Hackers accessed the account of a known developer and inserted malware into trusted packages. These packages have been downloaded more than a billion times.
The attack was designed to target cryptocurrency wallets, but according to security group Security Alliance, the total amount stolen so far is under $50. The malware was active for a short time before being identified and removed.
Malware Spread Through Common Packages
The attack used a method known as a crypto-clipper. This type of malware changes wallet addresses during transactions. If a user copies a wallet address, the clipper replaces it with one owned by the attacker.
Security Alliance linked the attack to one Ethereum address, “0xFc4a48.” This wallet received several small transactions, including tokens such as BRETT, ANDY, DORK, VISTA, and GONDOLA. At first, only five cents in Ether were stolen. A few hours later, the total had grown to around $50.
One researcher from the group posted,
“You could have unfettered access to millions of developer workstations… You profit less than 50 USD.”
The scale of the access compared to the low value taken has surprised many in the cybersecurity space.
Risk to Developers Remains Despite Low Theft
The malware was hidden in packages like chalk, strip-ansi, and color-convert. These are small tools that are widely used, often as part of other software. Even developers who didn’t directly install these packages may have been exposed if they updated or built software recently.
The attacker uploaded the malware through a developer account with high trust in the community. That made the infected versions appear safe and caused them to spread quickly. Developers have been advised to stop using any affected versions and check for recent updates.
0xngmi, the founder of DefiLlama, said, only crypto projects that updated after the bad code was pushed are likely at risk. And even then, users still have to approve the transaction.
Major Wallet Apps Say They Are Not Affected
Several well-known crypto wallets, including Ledger, MetaMask, and Phantom, confirmed that they are not using the infected packages. Ledger said its system has “multiple layers of defense.” MetaMask also reported that its apps remain unaffected.
Uniswap, Revoke.cash, Blast, and Aerodrome gave similar updates. Each confirmed that they do not rely on the compromised packages or had not updated to the infected versions.
Meanwhile, the issue has raised concern across the developer community, especially in crypto. While the damage was low in terms of stolen funds, many teams are now reviewing their security and package dependencies more closely.
