Massive ‘npm’ Attack Targets Ethereum and Solana Wallets, Only 5 Cents Stolen

Massive npm Supply-Chain Attack Hits Ethereum and Solana Wallets, But Losses Are Minimal

A large-scale supply-chain attack on Node.js packages briefly put billions of users at risk, though the actual financial damage was negligible. Security researchers describe it as one of the most significant software supply-chain incidents in recent years.

The attack began Monday when a phishing email targeted a prominent Node.js developer behind widely used packages such as chalk and debug-js, collectively known as “qix.” The email, sent from support@npmjs[.]help, redirected the developer to a spoofed two-factor authentication page hosted on BunnyCDN. Once credentials—including username, password, and 2FA codes—were captured, the attacker gained full access to the developer’s packages.

With control over the packages, the attacker republished them with a crypto-focused payload targeting Ethereum and Solana wallets.

Malware Mechanics

The injected code first checked for the presence of window.ethereum. If detected, it intercepted Ethereum functions like approve, permit, transfer, and transferFrom, rerouting all transactions to a single wallet: 0xFc4a4858bafef54D1b1d7697bfb5c52F4c166976.

On Solana, the malware replaced recipient addresses with invalid strings starting with “1911…,” causing transactions to fail. Additionally, it hijacked fetch and XMLHttpRequest network calls, scanning JSON responses for wallet-like strings and replacing them with one of 280 hardcoded alternatives that appeared legitimate.

Impact and Response

Despite the massive reach — with the compromised packages downloaded billions of times weekly — losses were minimal. On-chain data show the attacker collected just five cents in Ether and roughly $20 in a low-volume memecoin, according to a Security Alliance report.

Popular wallets remained largely unaffected. MetaMask confirmed that its security features, including version-locking, staged updates, LavaMoat, and Blockaid, blocked malicious code and flagged compromised addresses before any loss occurred.

Ledger CTO Charles Guillemet warned that the malicious payload briefly affected packages with over a billion downloads, silently altering wallet addresses in transactions. The attack follows recent cases noted by ReversingLabs, in which npm packages exploited Ethereum smart contracts to disguise malware and command-and-control traffic.

While the financial impact was small, organizations now face significant operational costs updating systems and auditing code to prevent similar attacks in the future.