NPM Supply Chain Hack

Overview

A developer of core JavaScript libraries distributed through NPM was hacked after falling for a phishing email. The email used a common trick: an urgent warning that the recipient’s account would be locked unless they updated their two-factor authentication using a link that looked legitimate.

A low-skill malicious actor then added crypto-stealing code to those libraries. If an organization with a website or web application written in JavaScript updated its code this week, there is a high chance the malicious code was pulled in. Those organizations now need to review and clean their code (see Anatomy of a Billion-Download NPM Supply-Chain Attack).

The injected code specifically targeted Web3/crypto companies and their applications. NPM reverted the affected packages in under three hours, but the ultimate victims are the users of those Web3/crypto applications, especially individuals who hold cryptocurrency wallets.

What is the NPM Supply Chain Hack?

This was a massive software supply chain compromise. When security professionals talk about “supply chain attacks,” this is exactly the type of incident they mean. In penetration testing engagements, our Offensive Security team often recommends simulating these kinds of CI/CD (continuous integration/continuous delivery) attacks. Doing so helps identify gaps in the development process and demonstrates how malicious code can slip into a trusted pipeline.

In this case, the injected code monitored cryptocurrency wallet addresses. When a transaction was prepared, the code replaced the intended destination with the attacker’s address, redirecting funds to their wallet.

As of now, one attacker-controlled account holds about $490, though it is not confirmed that all of it came from this incident. Early reports mentioned as little as $0.05 in ETH and $20 of a memecoin stolen, though it’s possible that the total grew as the attack continued.

What It’s Not

It’s important to clarify what did not happen. NPM itself – the service and infrastructure – was not compromised. The attack affected only a specific set of very widely used packages.

The impact was also limited by the attacker’s intent. The malicious code wasn’t designed to harvest data broadly or gain control of every system it touched. Instead, it was narrowly focused on cryptocurrency transactions, quietly swapping wallet addresses to siphon funds.

Equally important, NPM responded quickly. The malicious packages were discovered and rolled back in less than three hours, dramatically reducing the window of exposure. In the world of supply chain compromises, speed matters: a delayed response could have allowed the code to spread into far more applications, with consequences far beyond the crypto community.

Recommendations

For Organizations with Javascript Web Applications

Temporarily pin NPM libraries to known good versions to prevent pulling in tampered updates. See the write-up Anatomy of a Billion-Download NPM Supply-Chain Attack for temporary remediation steps.

For Crypto Users

Check your wallet balances and recent transactions to make sure you’ve received any funds you were expecting.

Be cautious about connecting wallets to new applications until the scope of this incident is fully understood.

For All Individuals

Be alert to phishing emails like the one that compromised the developer in this case. They often use urgent threats (“your account will be locked”) combined with fake login links.

With any financial or sensitive email, don’t click the links. Instead, open a new browser window and type in the website directly. Once logged in, you’ll almost certainly receive any account alerts and can review and transaction or balance issues.

Use a password manager to avoid reusing credentials and to ensure all your passwords are strong. Many security professionals favor tools like 1Password, which can also be used to manage MFA tokens securely.

For IT and Security Teams

Eliminate routine password rotation policies. Experience shows they create weaker passwords and normalize suspicious password-reset prompts – the very tactic used in this phishing attack. NIST’s Digital Identity Guidelines (SP 800-63B) explicitly recommend against forced password expiration.

Author: Andre – Offensive Security

Definitions

JavaScript: By far the most widely used programming language for websites.

Library: Pre-written code that developers reuse instead of writing everything from scratch.

NPM (Node Package Manager): The most popular way developers download and update JavaScript libraries.

Web3/crypto application: Apps that connect to blockchains (like Ethereum) and let people send, receive, or trade digital money.

Cryptocurrency wallet: A digital “wallet” (often a browser plugin or mobile app) that stores keys giving access to someone’s cryptocurrency, similar to an online bank account login.

Crypto-stealing code: Hidden software designed to steal cryptocurrency (e.g., Bitcoin, Etherium, etc.) from users.