npm Supply-Chain Attack Targets Ethereum and Solana Wallets, But Losses Are Minimal
A major npm supply-chain attack briefly affected billions of users, though the financial impact was negligible, according to security researchers. The incident is being described as one of the largest software supply-chain breaches in recent years.
The attack started Monday when a phishing email targeted a top Node.js developer responsible for widely used packages, including chalk and debug-js, collectively known as “qix.” Sent from support@npmjs[.]help, the email redirected the developer to a spoofed two-factor authentication page hosted on BunnyCDN. Credentials, including username, password, and 2FA codes, were stolen, giving the attacker full control over the packages.
With access, the attacker republished all qix packages with a crypto-focused payload designed to intercept Ethereum and Solana transactions.
How the Malware Worked
The code checked for window.ethereum. If detected, it intercepted Ethereum transaction functions—approve, permit, transfer, and transferFrom—and redirected all transactions to a single wallet: 0xFc4a4858bafef54D1b1d7697bfb5c52F4c166976.
For Solana, the malware replaced recipient addresses with invalid strings starting with “1911…,” preventing transfers. It also hijacked network requests via fetch and XMLHttpRequest, scanning JSON responses for wallet-like strings and replacing them with 280 hardcoded alternatives designed to appear legitimate.
Impact Was Minimal
Despite the scale, the attack yielded only about five cents in Ether and roughly $20 in an illiquid memecoin. Security Alliance highlighted that the real cost is now on security teams, who must update systems to prevent future exploits.
Wallet providers largely escaped harm. MetaMask confirmed its safeguards—including version-locking, staged updates, LavaMoat, and Blockaid—prevented malicious code from causing losses. Ledger CTO Charles Guillemet warned that the malware briefly infiltrated packages with over a billion downloads, silently replacing wallet addresses.
The attack follows similar recent incidents in which npm packages used Ethereum smart contracts to conceal malware and disguise command-and-control traffic.
While the monetary damage was trivial, organizations now face the operational cost of auditing and securing critical software dependencies to prevent recurrence.
