Hackers have reportedly pilfered a mere $50 in cryptocurrency from a significant supply chain breach that has impacted JavaScript software libraries, according to security experts in the industry. On Monday, the crypto intelligence platform Security Alliance disclosed that cybercriminals had infiltrated the node package manager (NPM) account of a prominent software developer, inserting malware into well-known JavaScript libraries that have been downloaded over a billion times. This incident poses a potential risk to numerous cryptocurrency projects, with Ethereum and Solana wallets being specifically targeted, as noted by Security Alliance.
In a fortunate turn of events, the theft from the crypto ecosystem remains limited to less than $50, as stated by the security firm, which identified the Ethereum wallet address “0xFc4a48” as the sole malicious address recognized to date. In a post on X, the firm highlighted the irony of the situation: “Imagine gaining access to an NPM developer’s account with packages downloaded over 2 billion times weekly. You could tap into millions of developer workstations. Yet, you profit less than 50 USD.”
### Hacker’s Missed Opportunity
The hacker appears to have underutilized their extensive access, with SEAL security researcher Samczsun commenting to Cointelegraph, “It’s akin to discovering the keycard to Fort Knox and merely using it as a bookmark. While the malware was widespread, it is now almost entirely contained.” Interestingly, the initially reported theft of five cents was later adjusted to $50, indicating that the full extent of the damage may still be evolving.
### Small Amounts of Ether and Memecoins Stolen
The five cents initially reported was in Ether (ETH), with an additional $20 worth of a memecoin also compromised, according to Security Alliance. Data from Etherscan reveals that the malicious wallet has received various memecoins, including Brett (BRETT), Andy (ANDY), Dork Lord (DORK), Ethervista (VISTA), and Gondola (GONDOLA).
### Ongoing Risks for Unaffected Crypto Projects
The breach specifically targeted packages such as chalk, strip-ansi, and color-convert—small utilities that are deeply embedded in the dependency trees of numerous projects. This means that even developers who have not directly installed these packages could still find themselves at risk. The NPM serves as a repository for developers, functioning like an app store where they can share and download code packages to create JavaScript applications.
### Nature of the Malware and Recommendations for Caution
The attackers appear to have deployed a crypto-clipper, a type of malware designed to stealthily alter wallet addresses during transactions, thereby misdirecting funds. Ledger’s chief technology officer, Charles Guillemet, along with others, has advised crypto users to exercise caution when confirming on-chain transactions.
### Crypto Wallet Providers Confirm Safety
Prominent crypto wallet providers such as Ledger and MetaMask have reassured users that their platforms remain secure from the NPM attack, attributing their safety to “multiple layers of defense” against such threats. The team behind Phantom Wallet confirmed they do not utilize any vulnerable versions of the impacted packages, while Uniswap stated that none of its applications are affected. Other crypto platforms like Aerodrome, Blast, Blockstream Jade, and Revoke.cash have also reported that they are not impacted by the supply chain breach.
### Caution Advised for Crypto Projects
0xngmi, the anonymous founder of the crypto analytics platform DeFiLlama, noted that only those crypto projects that updated after the release of the malware-infected NPM package might be at risk. He emphasized that even in those cases, users would need to authorize the malicious transaction for it to be executed. Echoing Guillemet’s sentiments, he suggested that it may be wise to refrain from using crypto websites until developers address and rectify the compromised packages.
