A new cyberattack is stealing crypto from users while they send transactions, and many experts call it the largest supply chain attack in history. Hackers broke into npm package maintainer accounts using phishing emails. These emails looked like they came from “[email protected],” which copied the real npm registry. The messages told developers their accounts would be locked unless they updated their two-factor authentication. When maintainers clicked the link, attackers got their login details and placed malware inside popular npm packages.
Eighteen widely used JavaScript libraries were compromised, including chalk, debug, and ansi-styles. Together, these packages get billions of downloads each week and are used by developers all over the world. That means the entire JavaScript ecosystem may have been exposed. BleepingComputer reported that attackers injected code into these libraries that acted like a browser-based interceptor. This code watched network traffic and searched for crypto transactions across Bitcoin, Ethereum, Solana, Tron, Litecoin, and Bitcoin Cash. When someone sent a transfer, the malware replaced the real wallet address with one controlled by the hackers before the transaction was signed.
Security researcher Charlie Eriksen explained that the malware works in several ways. It changes what is shown on websites, tampers with API calls, and tricks apps into signing transactions the user did not intend. Charles Guillemet, the CTO of Ledger, warned that the attack is still active and said crypto users should avoid making on-chain transactions if they only use software wallets. Hardware wallet users can protect themselves by checking the details before signing, but anyone without one faces higher risk.
Researchers also found that the phishing infrastructure sent stolen details to “websocket-api2.publicvm.com.” This shows the attack was well coordinated. It follows other npm incidents earlier this year, including one in March that patched the ethers package with a reverse shell and another in July that targeted eslint-config-prettier. The campaign continues to evolve, and this time attackers used Ethereum smart contracts in a new way. Two npm packages called colortoolsv2 and mimelib2 hid malicious commands inside Ethereum smart contracts. Once downloaded, the packages installed second stage malware, making it harder to detect.
Ethereum smart contracts are small programs that run on the blockchain. They are public and act like open APIs. In this case, hackers used them to store links for downloading the malware, so even if someone checked the package, they might not see the dangerous code. This creative method of command and control shows how threat actors are adapting to avoid detection.
The attackers also tried to make their GitHub repositories look trustworthy. They created fake projects like solana-trading-bot-v2 and ethereum-mev-bot-v2. These had many stars, watchers, and commits, but most of this activity was fake. Accounts were created at the same time, often with only one file, and automated commits inflated the numbers. This social engineering trick made the repositories look real to developers who might include the malicious npm packages in their work.
Experts warn that supply chain attacks are especially dangerous because they target trusted tools. By hiding malware inside open source libraries, hackers can reach millions of developers and end users at once. This year alone, researchers found more than twenty campaigns on npm, GitHub, and PyPI aimed at stealing crypto. Some used infostealers, others deployed coin miners, and many relied on phishing to capture sensitive data.
Indicators of Compromise, or IOCs, such as suspicious domains, obfuscated code, and fake repositories, help security teams detect these threats. Still, many users will not notice until funds are gone. For now, developers need to carefully check packages, maintainers, and code before use. Crypto users should consider hardware wallets and avoid making large transfers until the threat is under control. The attack shows how fast cybercrime is evolving and how important it is to secure both software supply chains and digital assets.
