Largest Supply Chain Attack in Open-Source History
The crypto community is facing one of the largest supply chain attacks ever recorded, after hackers compromised popular JavaScript libraries downloaded billions of times each week. According to multiple reports, attackers breached the Node Package Manager (NPM) account of a well-known developer, secretly injecting malware into trusted packages.
The malware was designed to swap or hijack crypto wallet addresses, effectively diverting funds during transactions.
🚨 There’s a large-scale supply chain attack in progress: the NPM account of a reputable developer has been compromised. The affected packages have already been downloaded over 1 billion times, meaning the entire JavaScript ecosystem may be at risk.
— Charles Guillemet (@P3b7_) September 8, 2025
The malicious payload works…
🚨 There’s a large-scale supply chain attack in progress: the NPM account of a reputable developer has been compromised. The affected packages have already been downloaded over 1 billion times, meaning the entire JavaScript ecosystem may be at risk.
— Charles Guillemet (@P3b7_) September 8, 2025
The malicious payload works…
Core Libraries Under Attack
The breach specifically targeted chalk, strip-ansi, and color-convert, small but widely used utilities embedded in the dependency chains of countless apps. While many developers never install these libraries directly, they are buried deep in codebases across the web, making the risk extremely widespread.
The attack appears to have planted a crypto-clipper, a form of malware that silently alters wallet addresses during transactions. This means when a user attempts to send funds, the destination could be replaced with the hacker’s address.
Researchers stressed that while hardware wallet users remain largely safe, those relying on software wallets are highly vulnerable.
Users Urged to Halt Crypto Transactions
Amid rising concerns, security experts urged crypto users to pause online transactions until the threat is contained.
He added that only projects updated after the compromised package was released are at risk, since many developers “pin” their dependencies to older, safer versions. However, users have no easy way to confirm which projects are affected, prompting broad warnings to avoid crypto interactions until packages are patched.
Explanation of the current npm hack
— 0xngmi (@0xngmi) September 8, 2025
In any website that uses this hacked dependency, it gives a chance to the hacker to inject malicious code, so for example when you click a "swap" button on a website, the code might replace the tx sent to your wallet with a tx sending money to…
Explanation of the current npm hack
— 0xngmi (@0xngmi) September 8, 2025
In any website that uses this hacked dependency, it gives a chance to the hacker to inject malicious code, so for example when you click a "swap" button on a website, the code might replace the tx sent to your wallet with a tx sending money to…
How Hackers Gained Access
The attackers reportedly used phishing emails disguised as official NPM support messages. Maintainers were told their accounts would be locked unless they updated their two-factor authentication by September 10.
The fake site captured credentials, granting attackers access to trusted developer accounts. From there, they pushed malicious updates into packages downloaded by millions each day.
A Wake-Up Call for Open-Source Security
The incident has been described as the biggest warning yet for open-source ecosystems, where community trust often replaces centralized oversight. Developers and end-users alike are being reminded that even the most popular code libraries are not immune to compromise.
With billions of downloads impacted, the attack represents a direct threat to the crypto economy, forcing users to reconsider how much they rely on unseen code dependencies. Until the compromised packages are fully cleaned, experts insist caution is the only safe course.
