A NPM maintainer account has been compromised through phishing, infecting major libraries like chalk, strip-ansi, and ansi-styles, used over 2.6 billion times per week.
A malware acts as a sophisticated crypto-clipper, intercepting and rewriting on-chain transactions to divert funds to addresses controlled by attackers.
Software wallet users are most at risk, while hardware wallets offer protection, but the threat looms over the entire crypto and JavaScript ecosystem.
CoinAcademy advises not to sign any crypto transactions at the moment!
An unprecedented attack
A compromised NPM maintainer account, dozens of infected libraries, and over 2.6 billion weekly downloads affected: the attack revealed on September 8, 2025 (French time) is already termed as the most severe supply chain hack in the history of software development.
The targeted developer, known as qix, had his NPM account hijacked after a sophisticated phishing campaign. The attackers released malicious versions of ultra-popular packages like chalk, strip-ansi, color-convert, and ansi-styles, all widely used in the JavaScript ecosystem.
How the malware operates
The malicious code injected into the index.js files acts as an advanced crypto-clipper. Once installed via a compromised dependency, it silently intercepts Web3 interactions:
- Monitoring Bitcoin, Ethereum, Solana, Tron, Litecoin, or Bitcoin Cash addresses.
- Real-time substitution of destination addresses.
- Redirecting funds to wallets controlled by attackers.
The severity lies in the malware’s multi-level actions: modifying displayed content, manipulating APIs, and even rewriting transactions at the moment of signature. In essence, a developer or user may think they are interacting normally with their wallet, while funds are redirected elsewhere.
A direct threat to cryptos
The impact goes beyond the software development world. The compromise directly affects the crypto universe: every on-chain transaction signed from an infected environment can be diverted.
CTO of Ledger quickly responded on X (formerly Twitter):
If you use a hardware wallet, verify every transaction before signing and you are protected. But if you use a software wallet, avoid any on-chain transaction for now.
In other words: without a physical wallet, the risk is immediate. Some researchers fear that the malware could go further and attempt to exfiltrate seeds stored in software wallets.
How to protect yourself?
NPM teams and the compromised developer are working to clean infected versions. But the danger remains real:
- Projects depending on a compromised version should be audited immediately.
- Developers should pin their dependencies to a known safe version (overrides in package.json).
- Crypto users must be extra vigilant and use a hardware wallet to sign any transaction or better yet: not sign any transaction at the moment.
An attack with lasting impact
This operation follows a series of already concerning compromises in 2025: in March, ten NPM libraries were turned into data thieves; in July, eslint-config-prettier suffered the same fate. But this time, the scale is unprecedented: over a billion cumulative weekly downloads for the compromised libraries alone.
The conclusion is clear: the security of software supply chains becomes one of the most critical points of the entire digital ecosystem. And in this specific case, it is also the security of billions in cryptocurrencies that has been at stake.
