Trusted NPM Account Hijacked to Spread Malicious Code That Puts Crypto Transactions and Wallets A...

Hackers used fake websites to steal a trusted npm account and spread harmful code across popular packages.

Crypto wallets like MetaMask and Trust Wallet may be at risk if they used the infected JavaScript libraries.

Users should stop signing transactions and check all packages if their apps recently updated via npm.

A major supply chain attack has compromised a widely trusted npm JavaScript account. Researchers confirmed the malicious code has already infected 18 popular packages. These packages have been downloaded over 2 billion times in the past week alone. The affected packages contain code capable of silently swapping crypto wallet addresses.

This attack is designed to divert transactions without the user’s knowledge. Even if users sign the correct-looking transaction, the funds may still go to the attacker. The JavaScript ecosystem is at risk due to how deeply these packages are integrated. Developers are urged to audit and remove the affected dependencies immediately.

Crypto Wallets and Ecosystems at Risk

The attack impacts many well-known browser-based and desktop wallets. Such as: MetaMask, Trust Wallet, and Exodus. Hardware wallets remain more secure,however, users must still verify transaction details closely. The attacker uses lookalike wallet addresses to trick users during the signing process.

Only a detailed character-by-character check can spot the difference. Most users check only the first and last few characters of wallet addresses. That leaves them vulnerable to address-swapping tactics. Automated scripts and smart contracts are also at risk if they rely on the compromised libraries.

Entry Point Was a Compromised Developer Account

The breach began when attackers gained control of a trusted npm maintainer’s account. Researchers believe this was done using phishing and fake two-factor authentication prompts

Recently, cybersecurity researchers noticed that hackers hid malware in Ethereum smart contracts via NPM packages, using blockchain URLs to bypass scans and deliver second-stage payloads The attackers built fake GitHub repositories with fabricated commits and multiple accounts to boost credibility. GitHub users reported suspicious emails pretending to be from npm support.

The attacker used a domain that mimicked the real npm website. These emails threatened to lock accounts to force developers into clicking phishing links. Once compromised, the account was used to update multiple packages with malicious payloads. Some packages were patched later, but others remain unsafe.

Security Warnings and Developer Response

Security teams and researchers are warning users to avoid on-chain activity for now. Crypto users should disable browser wallets and stop signing transactions temporarily. No major losses have been reported yet, but risks remain high.

Some DeFi platforms, including Axiom and Kamino, confirmed they did not use the infected packages. Still, developers must check all dependencies, especially those linked to popular libraries like Chalk.This kind of vulnerability was also noted in 2024 when hackers exploited Lottie Player Java Script, compromising wallets on trusted DeFi sites like 1inch.

The npm team disabled known compromised versions, but recent updates may still carry risks. The full scale of the attack remains unknown. The threat could expand if more developer accounts are targeted using similar phishing tactics.