Supply-Chain Attack in NPM: 1.07 Billion Downloads

Supply-chain attack in NPM: 1.07 billion downloads affect ecosystem utilities widely used in JavaScript projects and crypto web applications. As a result, the payload acts as a crypto-clipper, intercepting web responses and wallet transactions and substituting addresses.

Weex Banner

Scale and Attack Surface

The report details all of the malicious code and its features. Essentially, we are dealing with a threat of unprecedented size, since malicious builds were purposefully published for foundational utilities that sit deep in web projects’ dependency trees. These are not niche libraries but extremely popular building blocks on which almost all modern frontend and backend build pipelines depend transitively. Among them:

• chalk with roughly 300 million weekly downloads

• strip-ansi with about 261 million

• color-convert with about 193 million

• color-name with about 191 million

• is-core-module with about 69 million

• error-ex with about 47 million

• has-ansi with about 12 million

Payload Mechanics: Passive Address Substitution and Active Transaction Interception

At the first step, it checks the presence of the window.ethereum, meaning the presence of wallet extensions like MetaMask. If none, there is a passive vector: the script monkey-patches the native fetch and XMLHttpRequest, intercepts all web responses, and scans the text with regular expressions for crypto addresses for Bitcoin, Ethereum, Solana, Tron, Litecoin, and Bitcoin Cash.

Upon finding an address, the code checks whether it belongs to the attacker or, if not, selects the "most similar" one from the attacker's predefined list using Levenshtein distance and substitutes the response content on the fly. This significantly increases stealth for the user: the address is visually close to the original, and the substitution occurs in the network layer before the interface accesses the data.

If a wallet is detected, there is an even more dangerous vector. The wallet's request/send functions are patched to intercept transaction data before signing. When invoking something like eth_sendTransaction, the payload modifies the destination fields in memory, inserting a strictly hard-coded attacker address. The resulting scenario is particularly insidious for inattentive checks: the user may see the correct address in the UI but signs a transaction with a substituted recipient, and the funds go to the attacker.

Notably, in the logic of passive substitution, there is an additional stealth measure for Ethereum: if a wallet is active, ETH addresses are not rewritten via this path, which reduces the risk of a noticeable mismatch when the active scenario operates simultaneously.

Among the addresses involved on Ethereum, 0xFc4a4858bafef54D1b17697bfb5c52F4c166976. At the level of code artifacts, function names such as _0x20669a, responsible for the address swapper, and runmask, which initiates interception of wallet methods, draw attention, which may simplify detection in retrospective build analysis.

Conclusion

A highly illustrative situation – even a small library in a dependency tree node can become an entry point for an ecosystem-wide compromise. This requires a fundamental inventory of dependencies and build pipelines, using npm ci for reproducible builds and temporarily pinning known safe versions of transitive packages.

Otherwise, until announcements about verification and updates from major crypto players, it's better not to make any transactions. Stay tuned and get the latest updates in the crypto and blockchain industry.