Widely used JavaScript software libraries have been hijacked by hackers in what is reportedly the worst supply chain attack in history. According to reports, the implanted virus is made to intercept transactions and switch wallet addresses in order to steal cryptocurrency.
Several reports on Monday claim that hackers gained access to a well-known developer’s node package manager (NPM) account and covertly introduced malware to widely used JavaScript libraries that are utilized by millions of apps.
Numerous projects may be at risk as a result of the malicious code’s ability to switch or steal crypto wallet addresses.
Charles Guillemet, chief technology officer at Ledger, warned on Monday that a major supply chain assault is underway, compromising the NPM account of a trustworthy developer. The whole JavaScript ecosystem may be at danger since the impacted packages have already been downloaded more than 1 billion times.
Chalk, strip-ansi, and color-convert were among the packages that were compromised; they were small utilities that were tucked away in the dependency trees of many applications. With over a billion downloads of these libraries per week, even developers who have never installed them directly may be at risk.
NPM functions as a central library where developers can share and download small code packages to create JavaScript applications, much like an app store.
Crypto-clipper, a kind of malware that covertly changes wallet addresses during transactions in order to steal money, seem to have been installed by the attackers.
Security researchers cautioned, individuals who confirm each transaction on a hardware wallet are safe but customers who rely on software wallets may be particularly at risk.
Users were urged to avoid cryptocurrency transactions
According to DefiLlama founder Oxngmi’s X post, the malicious code does not empty wallets automatically; users must still confirm a faulty transaction.
Because the infected JavaScript package can change what occurs when you click a button, clicking the “swap” button on an affected website may swap out the transaction data and transfer payments to the hacker instead.
He went on to say that only projects modified after the compromised package was published are at risk, and many developers “pin” their dependencies to remain using previous, safer versions.
However, because consumers cannot readily verify whether sites were properly updated, it is advisable to avoid utilizing crypto websites until the problematic packages have been cleaned up.
Attackers gained access to NPM maintainer accounts with phishing emails.
Attackers warned maintainers in emails purporting to be from official NPM support that if they didn’t “update” two-factor authentication by September 10th, their accounts would be frozen.
By stealing login information, the fraudulent website allowed hackers to take over a maintainer’s account. Once inside, the attackers distributed malicious updates to packages that were downloaded billions of times per week.
The attack was particularly hazardous because it worked “at multiple layers: altering content shown on websites, tampering with API calls, and manipulating what users’ apps believe they are signing,” according to Charlie Eriksen, a researcher from Aikido Security.
