A new cyberattack is silently targeting crypto from users during transactions amid an incident that security researchers describe as the largest supply chain attack in history.
BleepingComputer reported that hackers compromised NPM package maintainer accounts through phishing emails and injected malware that steals crypto.
The attack targeted JavaScript developers with fraudulent emails appearing to originate from “support@npmjs.help,” an impersonated domain mimicking the legitimate NPM registry.
The phishing messages warned maintainers that their accounts would be locked on Sept. 10, unless they updated their two-factor authentication credentials through a malicious link.
Attackers successfully compromised 18 widely-used JavaScript packages with collective weekly downloads exceeding 2.6 billion.
The compromised libraries include fundamental development tools such as “chalk” (300 million weekly downloads), “debug” (358 million), and “ansi-styles” (371 million), affecting virtually the entire JavaScript ecosystem.
When users initiate crypto transfers, the malware silently replaces destination wallet addresses with attacker-controlled accounts before transaction signing.
Aikido Security researcher Charlie Eriksen explained:
“What makes it dangerous is that it operates at multiple layers: altering content shown on websites, tampering with API calls, and manipulating what users’ apps believe they are signing.”
Hardware wallet users retain protection if they verify transaction details before signing, while software wallet users face a higher risk. Guillemet advised:
“If you don’t use a hardware wallet, refrain from making any on-chain transactions for now.”
He also noted uncertainty about whether attackers can directly extract seed phrases from software wallets.
The attack represents a sophisticated supply chain targeting where criminals compromise trusted development infrastructure to reach end users.
By infiltrating packages downloaded billions of times weekly, attackers gained unprecedented access to cryptocurrency applications and wallet interfaces.
BleepingComputer identified the phishing infrastructure exfiltrating credentials to “websocket-api2.publicvm.com,” demonstrating the coordinated nature of the operation.
This incident follows similar JavaScript library compromises throughout 2025, including the July attack on “eslint-config-prettier,” which had 30 million weekly downloads, and March compromises affecting ten popular NPM libraries.
