Article Details

Hackers hijack npm packages with 2 billion weekly downloads in supply chain attack. In what is being called the largest supply chain attack in history, attackers have injected malware into NPM packages with over 2.6 billion weekly downloads after compromising maintainers' accounts in a phishing attack. According to Aikido Security, which analyzed the supply-chain attack, the threat actors updated the packages after taking over control, injecting malicious code that acts as a browser-based interceptor into the index.js files, capable of hijacking network traffic and application APIs. The malicious code only impacts individuals accessing the compromised applications over the web, monitoring for cryptocurrency addresses and transactions that are then redirected to attacker-controlled wallet addresses. This causes the transaction to be hijacked by the attackers rather than being sent to the intended address. The malware operates by injecting itself into the web browser, monitoring Ethereum, Bitcoin, Solana, Tron, Litecoin, and Bitcoin Cash wallet addresses or transfers. On network responses with crypto transactions, it replaces the destinations with attacker-controlled addresses and hijacks transactions before they're signed. The packages hijacked so far collectively have over 2.6 billion downloads every week: "The packages were updated to contain a piece of code that would be executed on the client of a website, which silently intercepts crypto and web3 activity in the browser, manipulates wallet interactions, and rewrites payment destinations so that funds and approvals are redirected to attacker-controlled accounts without any obvious signs to the user," Aikido Security researcher Charlie Eriksen said. "What makes it dangerous is that it operates at multiple layers: altering content shown on websites, tampering with API calls, and manipulating what users' apps believe they are signing." One of the package maintainers whose accounts were hijacked in this supply-chain attack confirmed the incident earlier today, stating that he was aware of the compromise and adding that the phishing email came from support [at] npmjs [dot] help, a domain that hosts a website impersonating the legitimate npmjs.com domain. This supply-chain attack follows a series of similar attacks targeting developers of various well-known JavaScript libraries over the past few months. For instance, in July, attackers compromised eslint-config-prettier, a package with over 30 million weekly downloads, while in March, ten other widely used npm libraries were hijacked and turned into info-stealers. This is a developing story... Picus Blue Report 2025 is Here: 2X increase in password cracking 46% of environments had passwords cracked, nearly doubling from 25% last year. Get the Picus Blue Report 2025 now for a comprehensive look at more findings on prevention, detection, and data exfiltration trends.