The JavaScript ecosystem has faced an unprecedented threat: hackers compromised the account of a well-known developer on the NPM platform and injected malicious code into his projects, designed to steal cryptocurrency.
The incident was reported by Ledger’s CTO, Charles Guillemet, who emphasized that the affected packages had already been downloaded more than one billion times — posing a real danger to millions of developers and users.
How the Attack Happened
The compromised developer was Josh Junon, who explained that he had fallen victim to a phishing attack. He received an email disguised as a message from NPM support, demanding that he update his two-factor authentication under threat of account suspension. By clicking the link, he unknowingly gave hackers access to his popular packages, including Chalk.
The first signs of trouble were noticed by a user nicknamed JD, when a project build unexpectedly failed. It was later revealed that the cause was malicious code embedded in the package. Hackers used the fetch function to exfiltrate stolen data, and only the outdated Node.js version prevented the attack from succeeding. In modern environments, it could have gone completely unnoticed.
How the Malware Works
Researchers discovered that the malicious program operated in two modes:
- Passive Mode – if no wallet was detected, the code modified browser functions and replaced cryptocurrency addresses. To make it less noticeable, the attackers used the Levenshtein algorithm to select the most similar address from their list.
- Active Mode – during transaction signing, the malware replaced the recipient’s address at the last moment. If the user didn’t manually check the details, funds were sent to the hackers.
The attack specifically targeted BTC, ETH, SOL, TRX, LTC, and BCH.
Risks for Users
According to Guillemet, users of software wallets were the most at risk, while those relying on hardware wallets with manual transaction confirmation were better protected.
The founder of DeFi Llama, known as 0xngmi, pointed out that the malware couldn’t automatically drain wallets: transactions still required user approval. However, infected websites could swap legitimate operations — for example, replacing token swaps with fraudulent transfers.
Minal Thukral, Head of Ecosystem Growth at Okto, warned: “The final confirmation screen is your last line of defense. Always check every character of the recipient address before approving a transaction.”
Community Response and Damage
According to software engineer cygaar, the NPM team has already disabled the compromised package versions.
Data from Security Alliance shows that the documented financial damage so far amounts to around $50.
Nevertheless, experts warn that the consequences could have been far greater, and the incident serves as a wake-up call for the entire ecosystem.
Previously, researchers from ReversingLabs had discovered malicious code in the NPM repository that used Ethereum smart contracts to hide commands and load malware.
How to Protect Yourself
- Always use updated package versions.
- Double-check recipient addresses during every transaction.
- Prefer hardware wallets for storing significant funds.
- Stay alert to suspicious emails and credential update requests.
