Ethereum and Solana Wallets Targeted in Massive npm Supply-Chain Attack, But Losses Minimal
A major npm supply-chain attack briefly impacted billions of users, though the financial losses were negligible. Researchers describe the incident as one of the largest software supply-chain breaches in recent years.
The attack started Monday when a phishing email targeted a leading Node.js developer behind widely used packages like chalk and debug-js, collectively known as “qix.” The email, sent from support@npmjs[.]help, directed the developer to a spoofed two-factor authentication page hosted on BunnyCDN. Credentials, including username, password, and 2FA codes, were stolen, giving the attacker full control of the developer’s packages.
Once access was gained, all qix packages were republished with a crypto-focused payload designed to intercept Ethereum and Solana transactions.
How the Malware Worked
The code first checked for window.ethereum. If detected, it intercepted Ethereum functions such as approve, permit, transfer, and transferFrom, rerouting all transactions to a single wallet: 0xFc4a4858bafef54D1b1d7697bfb5c52F4c166976.
On Solana, the malware replaced recipient addresses with invalid strings beginning with “1911…,” causing transfers to fail. It also hijacked network requests through fetch and XMLHttpRequest, scanning JSON responses for wallet-like strings and replacing them with one of 280 hardcoded alternatives to appear legitimate.
Impact and Response
Despite widespread distribution, the attacker only obtained around five cents in Ether and about $20 in an illiquid memecoin, according to Security Alliance. The real cost now falls on developers and security teams who must audit and update systems to prevent future attacks.
Wallet providers largely avoided losses. MetaMask confirmed its security measures—including version-locking, staged updates, LavaMoat, and Blockaid—blocked the malicious code and flagged compromised addresses. Ledger CTO Charles Guillemet warned that the malware briefly affected packages with over a billion downloads, silently replacing wallet addresses.
The incident follows other recent attacks in which npm packages exploited Ethereum smart contracts to conceal malware, disguising command-and-control traffic as ordinary blockchain activity.
While monetary losses were minimal, the attack highlights the critical need for robust supply-chain security and ongoing vigilance in the developer community.
