Major NPM Supply Chain Attack Targets Crypto Services - Stay Alert Devs.

[nonlogs]

A developer was phished for their NPM credentials, and the attacker compromised all packages published by qix, including popular ones like chalk and debug-js, which together have over 2 billion downloads per week. The attacker pushed updates to these packages that included a crypto stealer.

How it works:
* Wallet hijacking: When you send or approve crypto transactions, it secretly replaces the destination address with the hacker’s wallet.
* Address swapping: While browsing, it looks for crypto addresses on websites and swaps them with fake ones that closely resemble the real ones using text similarity tricks.

The sneaky part: Everything looks normal you see the correct addresses and transactions on your screen but behind the scenes, your funds are silently redirected to the attacker’s wallets.

If you’re a developer, do not update any packages without verifying the authenticity of the update.

More over here => https://news.ycombinator.com/item?id=45169657 https://www.securityalliance.org/news/2025-09-npm-supply-chain

[NotATether]

Thanks for the heads-up.

I'd say the best way to defend against this is to pin the affected packages to versions made before the malicious update using peerDependencies (AI can help do this in the package.json if you don't know.)

Then again, a stronger countermeasure would be to simply not use NodeJS for any project. I myself am thinking of moving some of my projects to Ruby on Rails.

[nonlogs]

Thanks for the heads-up.

I'd say the best way to defend against this is to pin the affected packages to versions made before the malicious update using peerDependencies (AI can help do this in the package.json if you don't know.)

Then again, a stronger countermeasure would be to simply not use NodeJS for any project. I myself am thinking of moving some of my projects to Ruby on Rails.

Yes, it’s better to use fewer dependencies, avoid updating packages without reviewing the logs, and wait a few days before implementing updates, unless it’s a severe bug that could be exploited.

[The Cryptovator]

How it works:
* Wallet hijacking: When you send or approve crypto transactions, it secretly replaces the destination address with the hacker’s wallet.
* Address swapping: While browsing, it looks for crypto addresses on websites and swaps them with fake ones that closely resemble the real ones using text similarity tricks.

This is the dangerous part; when this kind of attack happens, users can't detect that the wallet has been compromised. So unfortunately wallets drain easily, and users lose funds permanently. I have remembered how the Electrum wallet was compromised by this kind of fake update, and users' wallets were drained.

However, developers need to be careful in such cases. Because users normally won't detect such hacks and lost funds. Thanks for sharing with us. Users and developers would take lessons from here.

[dkbit98]

This is a nice example showing what just one compromised guy can do to harm everyone else.
I would say that all wallets with blind signing should be avoided, and not just now but forever.
Luckily only small amount of coins was lost, so everyone should learn a lesson from this incident.

[NotATether]

Yes, it’s better to use fewer dependencies, avoid updating packages without reviewing the logs, and wait a few days before implementing updates, unless it’s a severe bug that could be exploited.

Wordpress is so much better for writing a website than any framework that can be cooked up. Only SaaS will be using NodeJS and even then just the frontend, as the gold standard of backend engineering has always been Python and Go.

[PX-Z]

This is really risky for developers who rely much on dependencies they find through Google searches or community recommendations without proper verification. While dependencies can speed up development significantly, they also introduce potential security vulnerabilities that could compromise both your device and the project.
While the safer path is to build it from scratch, but since that usually takes much more time and resources, it becomes a trade-off situation, convenience versus security which most developers struggle to chose lol.

[rat03gopoh]

which most developers struggle to chose lol.

The biggest burden actually falls on developers. Because average users can't audit code, they rely on a trust chain of app stores, antiviruses, and system updates. Once crypto funds are lost due to a supply chain attack, it's irreversible. There are no refunds or support desks on the blockchain.