A recent Node Package Manager (NPM) attack stole just $50 worth of crypto, but industry experts say the incident highlights ongoing vulnerabilities for exchanges and software wallets.
Charles Guillemet, the chief technology officer of hardware wallet company Ledger, said in a Tuesday X post that the attempted exploit was a “clear reminder” that software wallets and exchanges remain exposed to risks.
If your funds sit in a software wallet or on an exchange, you’re one code execution away from losing everything,” he said, adding that supply-chain compromises remain a powerful malware delivery vector.
Guillemet took the opportunity to advocate for hardware wallets, saying that features like clear signing and transaction checks would help users withstand such threats. “The immediate danger may have passed, but the threat hasn’t. Stay safe,” he added.
Largest NPM attack stole only $50 in crypto
The attack unfolded after hackers acquired credentials using a phishing email sent from a fake NPM support domain.
Using their newly acquired access to developer accounts, the attackers pushed malicious updates to popular libraries. This included chalk, debug strip-ansi and more.
The code they injected attempted to hijack transactions by intercepting wallet addresses and replacing them in network responses across several blockchains, including Bitcoin, Ethereum, Solana, Tron and Litecoin.
TON CTO breaks down NPM attack
Anatoly Makosov, the chief technology officer of The Open Network (TON), said that only specific versions of 18 packages were compromised and that rollbacks were already published.
Breaking down the mechanics of the attack, Makosov said compromised packages functioned as crypto clippers, which silently spoofed wallet addresses in products that relied on the infected versions.
This means web apps interacting with the aforementioned chains risked having their transactions intercepted and redirected without the knowledge of the users.
He said that developers who pushed their builds within hours of the malicious updates and apps that auto-update their code libraries instead of freezing them to a safe version were the most exposed.
Makosov shared a checklist on how developers can check if their apps were compromised. The main sign is whether the code is using one of 18 versions of popular libraries like ansi-styles, chalk or debug. He said if a project relies on these versions, it’s likely compromised.
He said the fix is to switch back to safe versions, reinstall clean code and rebuild applications. He added that new and updated releases are already available and urged developers to act quickly to clear out the malware before it can affect their users.
