The NPM (Node Packet Manager) account for developer QIX has been compromised, allowing hackers to publish malicious versions of his packages.
The attacker has published malicious versions of dozens of extremely popular JavaScript packages, including basic utilities. The hacks have a larger range as the affected packages have a total download of over 1 billion each week.
This attack on the software supply chain specifically targets the JavaScript/node.js ecosystem.
NPM Supply Chain Attack
Popular developers have fallen victim to phishing. The malicious code injected into the NPM package hijacked the crypto transaction at the time of signing.
Attack method:
•Hook wallet function (request/send)
Swap recipient addresses in ETH/SOL transactions
•exchange… pic.twitter.com/jn9h4hwp8v– Scared Sniffer | web3 anti-scam (@realscamsniffer) September 8, 2025
Crypto Clipper Malware
The malicious code was a “crypto clipper” designed to steal cryptocurrency by exchanging wallet addresses in network requests and hijacking crypto transactions directly. It was also heavily obfuscated to avoid detection.
Cryptographic malware has two attack vectors. If no crypto wallet extensions are found, the malware intercepts all network traffic by replacing the browser’s native fetch and HTTP request functions with an extensive list of attacker-owned wallet addresses.
Using sophisticated address swapping, it is almost impossible to spot fraud with the naked eye, as it employs algorithms to find alternative addresses that are visually similar to those that are legal, cybersecurity researchers said.
If a crypto wallet is found, the malware intercepts the transactions before signing them, and when the user starts the transaction, it changes them in memory to redirect the funds to the attacker’s address.
The attack targets packages such as “Chalke”, “Strip Angie”, “Color Convert”, and “Color Name”. These are core building blocks buried in countless projects’ dependency trees.
The attack was accidentally discovered when the build pipeline failed with a “no fetch defined” error because the malware attempted to remove data using the fetch feature.
“If you use a hardware wallet, be aware of all transactions before signing. It’s safe. If you don’t use a hardware wallet, don’t create on-chain transactions for now.”
Current NPM Hack Description
All websites using this hacked dependency give hackers the opportunity to inject malicious code. For example, if you click the “swap” button on a website, the code could replace the TX that sent it to TX.
– 0xngmi (@0xngmi) September 8, 2025
Wide range of attack vectors
Malware payloads specifically target cryptocurrencies, but the attack vector is much broader. It affects the environment in which JavaScript/node.js applications run, such as web applications running in a browser, desktop applications, server-side node.js applications, and mobile apps using JavaScript frameworks.
Therefore, normal business web applications can unconsciously include these malicious packages, but malware is only active when users interact with the cryptocurrency of that site.
Uniswap and Blockstream were among the first to reassure users that their systems weren’t at risk.
About NPM Supply Chain Attack Report:
UNISWAP apps are not at risk
Our team confirmed that we were not using any vulnerable versions of the affected packages.
As always, beware
– uniswap labs (@uniswap) September 8, 2025
Binance Free $600 (For cryptopotato only): Use this link to register a new account and receive an exclusive $600 welcome offer with Binance (detail).
Exclusive offer for Bybit’s Cryptopotato Leader: Use this link to sign up and open a free $500 position on your coin!
