A popular developer, Josh Junon, on the NPM platform was hacked by cybercriminals. This breach provided attackers access to the JavaScript ecosystem, enabling them to inject malicious software into widely used libraries aimed at stealing funds from cryptocurrency wallets, according to Charles Guillemet, CTO of Ledger.
The attack began with a sophisticated phishing campaign targeting Josh Junon, also known by his maintainer handle “qix.” The attackers sent a fake email appearing to come from NPM support with the domain — a deceptive lookalike of the real npmjs.com. The email claimed that Junon’s account would be locked on September 10, 2025, if he did not update his Two-Factor Authentication (2FA) credentials, falsely stating they were over 12 months old.
How the Attack Happened
Junon, distracted and using a mobile device during a busy week, clicked the malicious link and entered his credentials on the counterfeit site, which immediately gave the attackers full control over his NPM account. The phishing domain was registered just three days before the attack, demonstrating careful planning.
With control of Junon’s account, attackers published malicious versions of 18 popular npm packages, including essential utilities like Chalk, strip-ansi, and color-convert, all foundational components used by millions of JavaScript projects worldwide.
Scale and Impact
These compromised packages have been downloaded more than 1 billion times (and up to 2.7 billion downloads weekly across the affected packages), highlighting the large blast radius and risk to the entire JavaScript ecosystem.
Despite the attack’s reach, the direct theft of cryptocurrency so far has been limited: less than $50 in stolen funds, mostly from Ethereum and Solana wallets, has been confirmed by security researchers.
How the Malicious Software Works
The malware inserted into the packages is a cryptocurrency clipper that intercepts transactions in browsers by replacing wallet addresses during crypto transfers. When a user initiates a payment from their crypto wallet, the malware swaps the recipient address with one controlled by the attackers, redirecting funds without immediate visible signs.
However, users must still confirm each transaction manually, which limits the attacker’s ability to empty wallets automatically. This defense provides some protection to cautious and experienced users.
Who Is Most at Risk?
Primarily at risk are users of software wallets and decentralized applications (dApps), which do not require physical confirmation for each transaction.
Users who hold their assets in hardware (cold) wallets, requiring physical confirmation for transactions, remain more secure as the attack cannot bypass manual transaction approval.
According to the founder of DeFi Llama (0xngmi), the malware cannot perform automatic fund withdrawals and relies on users to approve each transaction, thus reducing the attack’s potential impact.
Response and Recommendations
For Developers:
- Carefully audit dependencies and avoid updating to compromised package versions.
- Strengthen personal account security by using robust 2FA methods and being vigilant against phishing.
- Monitor security advisories from NPM and the broader developer community.
- Use static code analysis tools to detect injected malicious code in projects.
For Users:
- Avoid transacting using potentially compromised wallets or applications until ecosystems are cleansed.
- Prefer using hardware wallets or wallets with multi-factor authentication.
- Double-check wallet addresses during crypto transactions for any suspicious modifications.
Conclusion and Warnings
While the financial damage from this attack remains low for now, the incident reveals severe vulnerabilities in software supply chains and the JavaScript ecosystem, a critical part of today’s technology stack and crypto infrastructure.
Given the scale and sophistication of the attack, experts warn future supply chain attacks may be more devastating. Malicious packages can persist in caches or package-lock files, perpetuating the threat for extended periods.
Community-wide vigilance, improved security practices, and effective monitoring are crucial to mitigate risks and prevent similar attacks.
Publication author
