No items found.

September 9, 2025

Minutes Read

NPM Supply Chain Attack

Advisory

Security Advisory

September 9, 2025

Minutes Read

NPM Supply Chain Attack

Advisory

Security Advisory

September 9, 2025

Minutes Read

Kudelski Security Team

Find out more

table of contents

Share on

Thank you! Your submission has been received!

Oops! Something went wrong while submitting the form.

Summary

A significant supply chain attack has compromised the NPM account of the developer known as qix, leading to the distribution of malicious versions of numerous widely used packages. This attack has affected packages with a combined weekly download count exceeding 2-3 billion, posing a substantial threat to the JavaScript ecosystem. The malicious code, identified as a crypto-clipper, is designed to intercept and manipulate cryptocurrency transactions by swapping wallet addresses and hijacking transactions.

Affected Systems and/or Applications

The attack primarily targets the following NPM packages, which are widely used across various projects:

The GitHub code repositories for these packages were not affected; the attack was confined to the NPM registry.

Technical Details

1. Phishing Attack

The attack began with a phishing email sent from a domain impersonating npmjs.com ([email protected]). This email was designed to trick the package maintainer into providing their credentials, including two-factor authentication (2FA) codes.
The phishing email contained a link to a malicious site that mimicked the legitimate npmjs.com, capturing the credentials entered by the victim.

2. Account Compromise

Once the attacker obtained the credentials, they gained access to the NPM account of the maintainer, allowing them to publish malicious versions of popular packages.

3. Malware Injection

The attacker injected a crypto-stealing malware into the index.js files of the compromised packages. This malware is a sophisticated browser-based interceptor that hooks into JavaScript functions like fetch, XMLHttpRequest, and wallet APIs (window.ethereum, Solana, etc.).

4. Malware Functionality

Network Traffic Interception: The malware hooks into network functions to intercept and manipulate data. It scans for cryptocurrency addresses in network responses and replaces them with attacker-controlled addresses using a Levenshtein distance algorithm to find visually similar addresses.
Transaction Hijacking: For Ethereum and Solana transactions, the malware modifies transaction parameters such as recipients and approval targets before they are signed by the user. This ensures that funds are redirected to the attacker's wallet.
Stealth Operations: The malware operates stealthily by avoiding obvious changes in the user interface, making it difficult for users to detect the compromise.

5. Technical Implementation

The malware uses obfuscated JavaScript code to evade detection and analysis. It employs techniques like monkey-patching to override native functions and inject malicious logic.
It checks for the presence of window.ethereum to determine if a crypto wallet is being used, and if so, it hooks into the wallet's communication methods (request, send, sendAsync).

Mitigation

1. Audit Dependencies: Developers should immediately audit their project's dependencies to identify and remove any compromised packages. This includes checking node_modules and package-lock.json for malicious code. As a direct method of detection, you can scan your node_modules directory for the malicious code using this command, which searches for a unique string found in the payload: grep -r "const _0x112" node_modules/

2. Pin Safe Versions: Use the overrides feature in package.json to pin affected packages to their last known-safe versions. For example:

{
"name": "your-project",
"version": "1.0.0",
"overrides": {
"chalk": "5.3.0",
"strip-ansi": "7.1.0",
"color-convert": "2.0.1",
"color-name": "1.1.4",
"error-ex": "1.3.2",
"has-ansi": "5.0.1"
}

3. Reinstall Dependencies: Delete node_modules and package-lock.json, then run npm install to generate a new, clean lockfile.

4. Verify Transactions: Users should meticulously verify all cryptocurrency transactions to ensure the recipient addresses are correct. See this GitHub Gist for a list of all wallets.

5. Monitor for Indicators of Compromise: Check for the presence of the function checkethereumw in your codebase as an indicator of compromise.